ansaurus

Question

Using cookies to store session in ASP MVC

Answer 1

+2 A:

http://msdn.microsoft.com/en-us/library/ms178587.aspx

Burt 2009-10-30 18:18:51

Answer 2

A:

depends on what kind of data you want to store in the cookie, if you want just to store string, the following code will do:

HttpCookie cookie = new HttpCookie("username","sth");
            cookie.HttpOnly = true;
            cookie.Expires = DateTime.Now.AddMonths(3);
            HttpContext.Current.Response.Cookies.Add(cookie);

tuanvt 2009-10-30 18:26:07

Answer 3

A:

You shouldn't use Sessions for this, but Profiles instead. Profiles use cookies to match computers to profiles, etc. The profile key is stored in a cookie, and isn't lost when closing browser etc.

Info here; http://odetocode.com/articles/440.aspx

Jan Jongboom 2009-11-10 10:54:09

Answer 4

A:

I would strongly discourage storing the entire session in cookies. I has bad performance implications. Consider this: every request (to every resource) will contain an overhead of possibly stale data that you only need once or twice. Eventually this overhead will hit your users, your bandwidth and your site performance.

Here's an example:

GET / HTTP/1.1
Host: localhost
OtherUsefulHeaders: foo
Cookie: YourSessionState=...

Initial request size is around 200 bytes. Let's say, you add around 100 bytes to your session. Now the size is 300 bytes and overhead is ~30%. You add another 100 bytes, and overhead is 50%. Which means it roughly requires 2x time to send the request and 2x bandwidth.

You should rather look into cookie-based TempData implementation as it has much smaller footprint and actually makes sense.

DreamSonic 2009-11-10 11:24:00

How would maintaining the session information through TempData (implemented through a cookie store) be any faster? There's also the additional code overhead of maintaining that TempData.A session should be fairly light - in our case it's a few dozen bytes - so the overhead of the request should be minimal.A cookie based session store was adopted as standard in Rails in 2007. This article discusses why they made that move.http://ryandaigle.com/articles/2007/2/21/what-s-new-in-edge-rails-cookie-based-sessions

Christopher Stott 2009-11-10 19:01:08

I'm very happy for the Rails community, but my point is based on statistical data: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/. TempData is advantageous over session in that its overhead applies only once -- during a page roundtrip. Otherwise the cookies should be clean.Anyway, after a bitter experience in a web-farm scenario I don't use Session at all, it's not worth it.

DreamSonic 2009-11-10 23:49:21

Answer 5

+2 A:

yes, implement a custom state session-provider. And no, afaik there isn't a simpler approach.

Ps. it isn't as bad as it looks i.e. > half of the odbc sample is writing to the db.

eglasius 2009-11-10 19:16:29

Christopher Stott 2009-11-17 07:15:39

Answer 6

+2 A:

I think it would be much more efficient to just store the session ID (a hash or whatever) in the cookie, and then use that ID to get the session data from memory / database / whatever storage you prefer. Keeping the full session state in a cookie increases bandwidth innecessarily.

Also, keep security in mind: if the cookie contains authentication information or other sensitive data and you're not careful, it can easily be hacked by the user to gain privileges or otherwise mess with your application (encrypting the data sucks too, because then you have to base-64 encode the encrypted data, which further wastes bandwidth and processing time). You should never trust input from the user.

axel_c 2009-11-10 19:28:55

ansaurus

tags:

views:

answers:

Using cookies to store session in ASP MVC

related questions