What is the difference between a Session and a Cookie in ASP.net?

by

Sessions

Sessions are stored per-user in memory(or an alternative Session-State) on the server. Sessions use a cookie(session key) to tie the user to the session. This means no “sensitive” data is stored in the cookie on the users machine.

Sessions are generally used to maintain state when you navigate through a website. However, they can also be used to hold commonly accessed objects. Only if the Session-state is set to InProc, if set to another Session-State mode the object must also serializable.

Session["userName"] = "EvilBoy";

if(Session["userName"] != null)
  lblUserName.Text = Session["userName"].ToString();

Cookies

Cookies are stored per-user on the users machine. A cookie is usually just a bit of information. Cookies are usually used for simple user settings colours preferences ect. No sensitive information should ever be stored in a cookie.

You can never fully trust that a cookie has not been tampered with by a user or outside source however if security is a big concern and you must use cookies then you can either encrypt your cookies or set them to only be transmitted over SSL. A user can clear his cookies at any time or not allow cookies altogether so you cannot count on them being there just because a user has visited your site in the past.

//add a username Cookie
Response.Cookies["userName"].Value = "EvilBoy";
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(10);
//Can Limit a cookie to a certain Domain
Response.Cookies["userName"].Domain = "Stackoverflow.com";

//request a username cookie
if(Request.Cookies["userName"] != null)
   lblUserName.Text = Server.HtmlEncode(Request.Cookies["userName"].Value);

sidenote

It is worth mentioning that ASP.NET also supports cookieless state-management

More Related Contents:

  1. How to delete cookies on an ASP.NET website
  2. Session Variable with if/else statement in Views?
  3. Keeping ASP.NET Session Open / Alive
  4. Web app blocked while processing another web app on sharing same session
  5. How to set session timeout in web.config
  6. Advantages of Cache vs Session
  7. Access HttpContext.Current from different threads
  8. HttpContext.Current.Session is null in Ashx file
  9. What is the best way to determine a session variable is null or empty in C#?
  10. C# keep session id over httpwebrequest
  11. Check if Cookie Exists
  12. How to Kill A Session or Session ID (ASP.NET/C#)
  13. How to share sessions between PHP and ASP.net application?
  14. Unable to serialize the session state
  15. C# Clear Session
  16. how safe is it to use session variables – asp.net / c#
  17. Can OWIN middleware use the http session?
  18. ‘Session’ does not exist in the current context
  19. Days between two dates in asp.net
  20. how to get date difference between two dates using DateDiff Excluding the weekends [duplicate]
  21. Asp Net Web API 2.1 get client IP address
  22. How do I dispose my filestream when implementing a file download in ASP.NET?
  23. How do I forcefully propagate role changes to users with ASP.NET Identity 2.0.1?
  24. Why does GetManifestResourceStream returns null while the resource name exists when calling GetManifestResourceNames?
  25. C# mvc 3 using selectlist with selected value in view
  26. How to pass parameters to a custom ActionFilter in ASP.NET MVC 2?
  27. Tag helper not being processed in ASP.NET Core 2
  28. Read a Registry Key
  29. Text on an Image button in c# asp.net 3.5
  30. Can’t find how to use HttpContent

Leave a Comment