What is the difference between a Session and a Cookie?

Sessions

Sessions are stored per-user in memory(or an alternative Session-State) on the server. Sessions use a cookie(session key) to tie the user to the session. This means no "sensitive" data is stored in the cookie on the users machine.

Sessions are generally used to maintain state when you navigate through a website. However, they can also be used to hold commonly accessed objects. Only if the Session-state is set to InProc, if set to another Session-State mode the object must also serializable.

Session["userName"]="EvilBoy";if(Session["userName"]!=null) 
  lblUserName.Text=Session["userName"].ToString();

Cookies

Cookies are stored per-user on the users machine. A cookie is usually just a bit of information. Cookies are usually used for simple user settings colours preferences ect. No sensitive information should ever be stored in a cookie.

You can never fully trust that a cookie has not been tampered with by a user or outside source however if security is a big concern and you must use cookies then you can either encrypt your cookies or set them to only be transmitted over SSL. A user can clear there cookies at any time or not allow cookies altogether so you cannot count on them being there just because I user has visited your site in the past.

//add a username CookieResponse.Cookies["userName"].Value="EvilBoy";Response.Cookies["userName"].Expires=DateTime.Now.AddDays(10);//Can Limit a cookie to a certain DomainResponse.Cookies["domain"].Domain="Stackoverflow.com";//request a username cookieif(Request.Cookies["userName"]!=null) 
   lblUserName.Text=Server.HtmlEncode(Request.Cookies["userName"].Value);

sidenote

It is worth mentioning that ASP.NET also supports cookieless state-management

posted @ 2012-06-27 14:37  xiaoshiyilang  阅读(343)  评论(1编辑  收藏  举报