tags:

views:

143

answers:

2
+2  Q: 

Do session use cookies?

This is an interview question asked a month ago....

Do session use cookies? If so,how do they do so?

Assume Session["UserId"]=1 how does this session variable uses cookies internally? If so, what will be the name of the cookie and what is the value of that cookie....

A: 

no, stored on server somewhere in tmp folder. sessions are serverside, cookies are client side.

luckytaxi  2010-04-07 03:30:35
Cookies are the default method of tying a user's session id to the session data on the server.
Michael Shimmins  2010-04-07 03:35:36
in php sessions are stored on server. i didnt realize this was asp. my bad.
luckytaxi  2010-04-07 03:39:46
You're right in that the actual variable is stored on the server (though you can provide a different session state provider), but as Michael Shimmins points out, session token is stored in a cookie by default.
R0MANARMY  2010-04-07 03:40:46
this would suck, if it's in a cookie, can't you manipulate the cookie?
luckytaxi  2010-04-07 03:45:08
In theory yes, you can change your session token to be something else, and if you correctly guess another session token you can hijack that person's session. But if your session tokens are generated fairly randomly, changing your token to some random token just means your session won't be retrieved properly next server request.
R0MANARMY  2010-04-07 03:58:55
This is such a huge misconception I see amongst many (of my fellow) PHP developers. A PHP session id is just as well stored in a cookie on the client side. How else (excluding the less secure URL token methods) would PHP be able to identify the session id? Think about it.
fireeyedboy  2010-04-07 04:23:09
+8  A: 

Whilst the data its self is stored on the server (or in SQL if configured that way), there needs to be a way to associate session data with specific users.

By default this is done with a cookie, but you can configure cookieless in which case the unique id is stored in the URL.

From Microsoft:

ASP maintains session state by providing the client with a unique key assigned to the user when the session begins. This key is stored in an HTTP cookie that the client sends to the server on each request. The server can then read the key from the cookie and re-inflate the server session state.

http://msdn.microsoft.com/en-us/library/ms972429.aspx

Michael Shimmins  2010-04-07 03:35:01
The article mentions nearly every details. Session ID must be passed between the browser and the server, so IIS/ASP.NET can know which session object needs to be used for a certain request.
Lex Li  2010-04-07 04:49:16

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?