asp.net cookie and session
客户端只保存session id,信息存在服务端
Session状态应该存储在两个地方,分别是客户端和服务器端。
客户端只负责保存相应网站的SessionID,而其他的Session信息则保存在服务器端。
在ASP中,客户端的SessionID实际是以Cookie的形式存储的。如果用户在浏览器的设置中选择了禁用Cookie,那末他也就无法享受Session的便利之处了,甚至造成不能访问某些网站。而ASP.NET中客户端的Session信息存储方式分为:Cookie和Cookieless两种。如果用了Cookieless,客户端的Session信息就不再使用Cookie存储而是通过URL存储。
退出登录的时候,重置session id
如果不重置的话,换其他账号再登录的话,还会使用同一个session id
https://stackoverflow.com/questions/24672416/how-to-create-session-id-for-every-login-in-asp-net-mvc
Try this when you abandon session/Logout:
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
By clearing out that cookie, a new session with a new session ID will be created after second login.
HttpResponse.Cookies and HttpRequest.Cookies
ASP.NET includes two intrinsic cookie collections. The collection accessed through the Cookies collection of HttpRequest contains cookies transmitted by the client to the server in the Cookie
header. The collection accessed through the Cookies collection of HttpResponse contains new cookies created on the server and transmitted to the client in the Set-Cookie
header.
After you add a cookie by using the HttpResponse.Cookies collection, the cookie is immediately available in the HttpRequest.Cookies collection, even if the response has not been sent to the client.
What is the difference between a Session and a Cookie?
答案一
Sessions
Sessions are stored per-user in memory(or an alternative Session-State) on the server. Sessions use a cookie(session key) to tie the user to the session. This means no "sensitive" data is stored in the cookie on the users machine.
Sessions are generally used to maintain state when you navigate through a website. However, they can also be used to hold commonly accessed objects. Only if the Session-state is set to InProc, if set to another Session-State mode the object must also serializable.
Session["userName"] = "EvilBoy";
if(Session["userName"] != null)
lblUserName.Text = Session["userName"].ToString();
Cookies
Cookies are stored per-user on the users machine. A cookie is usually just a bit of information. Cookies are usually used for simple user settings colours preferences ect. No sensitive information should ever be stored in a cookie.
You can never fully trust that a cookie has not been tampered with by a user or outside source however if security is a big concern and you must use cookies then you can either encrypt your cookies or set them to only be transmitted over SSL. A user can clear his cookies at any time or not allow cookies altogether so you cannot count on them being there just because a user has visited your site in the past.
//add a username Cookie
Response.Cookies["userName"].Value = "EvilBoy";
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(10);
//Can Limit a cookie to a certain Domain
Response.Cookies["domain"].Domain = "Stackoverflow.com";
//request a username cookie
if(Request.Cookies["userName"] != null)
lblUserName.Text = Server.HtmlEncode(Request.Cookies["userName"].Value);
sidenote
It is worth mentioning that ASP.NET also supports cookieless state-management
答案二
Cookie is a client side storage of your variables. It stored on client machine by browser physically. It's scope is machine wide. Different users at same machine can read same cookie.
Because of this :
- You should not store sensitive data on cookie.
- You should not store data that belongs to one user account.
- Cookie has no effect on server resources.
- Cookie expires at specified date by you.
Session is a server side storage of your variables. Default, it stored on server's memory. But you can configure it to store at SqlServer. It's scope is browser wide. Same user can run two or more browsers and each browser has it's own session.
Because of this :
- You can save sensitive data in session.
- You should not save everything in session. it's waste of server resources.
- After user closes browser, session timeout clears all information. (default is 20 minutes)
Cache VS Session VS cookies?
State management is a critical thing to master when coming to Web world from a desktop application perspective.
Session
is used to store per-user information for the current Web session on the server. It supports using a database server as the back-end store.Cookie
should be used to store per-user information for the current Web session or persistent information on the client, therefore client has control over the contents of a cookie.Cache
object is shared between users in a single application. Its primary purpose is to cache data from a data store and should not be used as a primary storage. It supports automatic invalidation features.Application
object is shared between users to store application-wide state and should be used accordingly.
If your application is used by a number of unauthenticated users, I suggest you store the data in a cookie. If it requires authentication, you can either store the data in the DB manually or use ASP.NET profile management features.
Exploring Session in ASP.NET
https://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net#43
asp.net cookie and session的更多相关文章
- ASP.NET Cookie和Session
Cookie和Session C#在服务器,JS在客户端 客户端验证不能代替服务端验证 Http HTTP属于应用层,HTTP 协议一共有五大特点:1.支持客户/服务器模式;2.简单快速;3.灵活;4 ...
- asp.net cookie和session的详细使用
cookie使用代码: //设置Cookie HttpCookie setCookie = new HttpCookie("test"); setCookie.Values.Add ...
- Asp.net 中ViewState,cookie,session,application,cache的比较
Asp.net 中的状态管理维护包含ViewState,cookie,session,application,cache五种方式,以下是它们的一些比较: 1.存在于客户端还是服务端 客户端: view ...
- QQ浏览器、搜狗浏览器等兼容模式下,Asp.NetCore下,Cookie、Session失效问题
原文:QQ浏览器.搜狗浏览器等兼容模式下,Asp.NetCore下,Cookie.Session失效问题 这些狗日的浏览器在兼容模式下,保存Cookie会失败,是因为SameSiteMode默认为La ...
- Asp.Net使用加密cookie代替session验证用户登录状态 源码分享
首先 session 和 cache 拥有各自的优势而存在. 他们的优劣就不在这里讨论了. 本实例仅存储用户id于用户名,对于多级权限的架构,可以自行修改增加权限字段 本实例采用vs2010编写 ...
- 理解Cookie和Session机制(转)
目录[-] Cookie机制 什么是Cookie 记录用户访问次数 Cookie的不可跨域名性 Unicode编码:保存中文 BASE64编码:保存二进制图片 设置Cookie的所有属性 Cookie ...
- ASP.NET中的Session怎么正确使用
Session对象用于存储从一个用户开始访问某个特定的aspx的页面起,到用户离开为止,特定的用户会话所需要的信息.用户在应用程序的页面切换时,Session对象的变量不会被清除. 对于一个Web应用 ...
- ASP.NET里的Session详细解释
Session模型简介 Session是什么呢?简单来说就是服务器给客户端的一个编号.当一台WWW服务器运行时,可能有若干个用户浏览正在运正在这台服务器上的网站.当每个用户首次与这台WWW服务器建立连 ...
- ASP.NET中的Session怎么正确使用[转]
Session对象用于存储从一个用户开始访问某个特定的aspx的页面起,到用户离开为止,特定的用户会话所需要的信息.用户在应用程序的页面切换时,Session对象的变量不会被清除. 对于一个Web应用 ...
随机推荐
- zoj 3822 Domination(2014牡丹江区域赛D题) (概率dp)
3799567 2014-10-14 10:13:59 Acce ...
- linux内核中预留4M以上大内存的方法
在内核中, kmalloc能够分配的最大连续内存为2的(MAX_ORDER-1)次方个page(参见alloc_pages函数, "if (unlikely(order >= ...
- android 完美退出应用程序。
Android 程序在点击回退键时,如果只有一个activity,调用finish()方法就能退出界面,如果有多个界面,在调用该方法时,只会销毁当前的activity,显示栈顶的其它activity, ...
- windows软件配置
1 安装jdk 配置环境变量 新建JAVA_HOME:D:\Program Files\Java\jdk1.8.0_151 新建JRE_HOME:D:\Program Files\Java\jre1. ...
- 洛谷——P2690 接苹果
P2690 接苹果 题目背景 USACO 题目描述 很少有人知道奶牛爱吃苹果.农夫约翰的农场上有两棵苹果树(编号为1和2), 每一棵树上都长满了苹果.奶牛贝茜无法摘下树上的苹果,所以她只能等待苹果 从 ...
- springboot jetty替换tomcat
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring- ...
- Execption异常 手动和自动抛除异常
package cn.zmh.Exception; /* * * try{ * 需要被检测的语句 * } * catch(异常类 变量){ * 异常的处理语句 * } * finally{ * 一定会 ...
- mysql PROCEDURE ANALYSE() 用法
PROCEDURE ANALYSE() 会让 MySQL 帮你去分析你的字段和其实际的数据,并会给你一些有用的建议.只有表中有实际的数据,这些建议才会变得有用,因为要做一些大的决定是需要有数据作为基础 ...
- js 中 Map/Set 集合
Map Map是一组键值对的结构,具有极快的查找速度. 举个例子,假设要根据同学的名字查找对应的成绩,如果用Array实现,需要两个Array: 1 var names = ['Michael', ...
- [转] 一句shell命令搞定代码行数统计
今天面试时,突然被面试官问到怎样用shell命令搞定某个文件夹下java代码行数的统计. 想了一下,基本思路就是找到这个文件夹下面的所有java文件,然后每个文件统计一下代码,外层套个for循环,叠加 ...