views:

1099

answers:

6

What is the difference between a Session and a Cookie?

What circumstances should each be used?

+8  A: 

Sessions

Sessions are stored per-user in memory(or an alternative Session-State) on the server. Sessions use a cookie(session key) to tie the user to the session. This means no "sensitive" data is stored in the cookie on the users machine.

Sessions are generally used to maintain state when you navigate through a website. However, they can also be used to hold commonly accessed objects. Only if the Session-state is set to InProc, if set to another Session-State mode the object must also serializable.

Session["userName"] = "EvilBoy";

if(Session["userName"] != null)
  lblUserName.Text = Session["userName"].ToString();

Cookies

Cookies are stored per-user on the users machine. A cookie is usually just a bit of information. Cookies are usually used for simple user settings colours preferences ect. No sensitive information should ever be stored in a cookie.

You can never fully trust that a cookie has not been tampered with by a user or outside source however if security is a big concern and you must use cookies then you can either encrypt your cookies or set them to only be transmitted over SSL. A user can clear there cookies at any time or not allow cookies altogether so you cannot count on them being there just because I user has visited your site in the past.

//add a username Cookie
Response.Cookies["userName"].Value = "EvilBoy";
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(10);
//Can Limit a cookie to a certain Domain
Response.Cookies["domain"].Domain = "Stackoverflow.com";

//request a username cookie
if(Request.Cookies["userName"] != null)
   lblUserName.Text = Server.HtmlEncode(Request.Cookies["userName"].Value);

sidenote

It is worth mentioning that ASP.NET also supports cookieless state-management

cgreeno
I think you mean cookieless STATE-management...unless the roadies have give up eating them biscuits :)
Joe
Yes I did, thanks
cgreeno
Also, the session is identified upon each request by a cookie. Without a cookie (or url idenitfier, bad!) the session canot be tracked.
DGM
A: 

straight from Wikipedia:

Http Cookie

Http Session

Orentet
+1  A: 

A cookie is an identifaction string stored by a server (who has a domain) in the browser of the user who visits the server/domain.

A session is a unit of maybe variables, state, settings while a certain user is accessing a server/domain in a specific time frame. All the session information is in the traditional model stored on the server (!)

Because many concurrent users can visit a server/domain at the same time the server needs to be able to distinguish many different concurrent sessions and always assign the right session to the right user. (And no user may "steal" another uses's session)

This is done through the cookie. The cookie which is stored in the browser and which should in this case be a random combination like s73jsd74df4fdf (so it cannot be guessed) is sent on each request from the browser to the server, and the server can assign and use the correct session for its answers (page views)

The cookie allows the server to recognize the browser/user. The session allows the server to remember information between different page views.

Karl Thorwald
I upvoted this but why community wiki? It is a totally valid programming related answer.
DrJokepu
+1  A: 

Cookie is a client side storage of your variables. It stored on client machine by browser physically. It's scope is machine wide. Different users at same machine can read same cookie.

Because of this :

  1. You should not store sensitive data on cookie.
  2. You should not store data that belongs to one user account.
  3. Cookie has no effect on server resources.
  4. Cookie expires at specified date by you.

Session is a server side storage of your variables. Default, it stored on server's memory. But you can configure it to store at SqlServer. It's scope is browser wide. Same user can run two or more browsers and each browser has it's own session.

Because of this :

  1. You can save sensitive data in session.
  2. You should not save everything in session. it's waste of server resources.
  3. After user closes browser, session timeout clears all information. (default is 20 minutes)
Canavar
A: 

Its possible to have both: a database primary key is hashed and stored in a lookup table: then the hash is stored on the client as a cookie. Once the hash cookie (hahhahaha :) is submitted, its corresponding primary key is looked up, and the rest of the details are associated with it in another table on the server database.

Joe
A: 

In terms of ASP.NET

Cookies are a subset of sessions. You can have a cookie based session.

Sessions for asp.net come in several flavors SQL State Server (it's a service you can enable on windows machines) In Process (server side) -or you can write a custom session management

Also you can change cookieless="false" to use cookies for session. This opens up the securities issues mentioned above even when using session. However, it reduces the amount of resources required on the server side.

http://msdn.microsoft.com/en-us/library/ms972429.aspx

Use state server or sql when you want to partition and/or maintain session for a web server farm with secure data in it. Keep in mind sql session data is not encrypted across the wire either from app server to db server.

Use in proc on low volume servers where securing session is important.

In my opinion. don't ever use cookies :) but if you are they are useful for leaving persistant user data around like UI preferences.