asp.net cookie and session

客户端只保存session id，信息存在服务端

Session状态应该存储在两个地方，分别是客户端和服务器端。

客户端只负责保存相应网站的SessionID，而其他的Session信息则保存在服务器端。

在ASP中，客户端的SessionID实际是以Cookie的形式存储的。如果用户在浏览器的设置中选择了禁用Cookie，那末他也就无法享受Session的便利之处了，甚至造成不能访问某些网站。而ASP.NET中客户端的Session信息存储方式分为：Cookie和Cookieless两种。如果用了Cookieless，客户端的Session信息就不再使用Cookie存储而是通过URL存储。

退出登录的时候，重置session id

如果不重置的话，换其他账号再登录的话，还会使用同一个session id

https://stackoverflow.com/questions/24672416/how-to-create-session-id-for-every-login-in-asp-net-mvc

Try this when you abandon session/Logout:

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

By clearing out that cookie, a new session with a new session ID will be created after second login.

HttpResponse.Cookies and HttpRequest.Cookies

ASP.NET includes two intrinsic cookie collections. The collection accessed through the Cookies collection of HttpRequest contains cookies transmitted by the client to the server in the Cookie header. The collection accessed through the Cookies collection of HttpResponse contains new cookies created on the server and transmitted to the client in the Set-Cookie header.

After you add a cookie by using the HttpResponse.Cookies collection, the cookie is immediately available in the HttpRequest.Cookies collection, even if the response has not been sent to the client.

What is the difference between a Session and a Cookie?

答案一

Sessions

Sessions are stored per-user in memory(or an alternative Session-State) on the server. Sessions use a cookie(session key) to tie the user to the session. This means no "sensitive" data is stored in the cookie on the users machine.

Sessions are generally used to maintain state when you navigate through a website. However, they can also be used to hold commonly accessed objects. Only if the Session-state is set to InProc, if set to another Session-State mode the object must also serializable.

Session["userName"] = "EvilBoy";

if(Session["userName"] != null)
  lblUserName.Text = Session["userName"].ToString();

Cookies

Cookies are stored per-user on the users machine. A cookie is usually just a bit of information. Cookies are usually used for simple user settings colours preferences ect. No sensitive information should ever be stored in a cookie.

You can never fully trust that a cookie has not been tampered with by a user or outside source however if security is a big concern and you must use cookies then you can either encrypt your cookies or set them to only be transmitted over SSL. A user can clear his cookies at any time or not allow cookies altogether so you cannot count on them being there just because a user has visited your site in the past.

//add a username Cookie
Response.Cookies["userName"].Value = "EvilBoy";
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(10);
//Can Limit a cookie to a certain Domain
Response.Cookies["domain"].Domain = "Stackoverflow.com";

//request a username cookie
if(Request.Cookies["userName"] != null)
   lblUserName.Text = Server.HtmlEncode(Request.Cookies["userName"].Value);

sidenote

It is worth mentioning that ASP.NET also supports cookieless state-management

答案二

Cookie is a client side storage of your variables. It stored on client machine by browser physically. It's scope is machine wide. Different users at same machine can read same cookie.

Because of this :

1. You should not store sensitive data on cookie.
2. You should not store data that belongs to one user account.
3. Cookie has no effect on server resources.
4. Cookie expires at specified date by you.

Session is a server side storage of your variables. Default, it stored on server's memory. But you can configure it to store at SqlServer. It's scope is browser wide. Same user can run two or more browsers and each browser has it's own session.

Because of this :

1. You can save sensitive data in session.
2. You should not save everything in session. it's waste of server resources.
3. After user closes browser, session timeout clears all information. (default is 20 minutes)

Cache VS Session VS cookies?

State management is a critical thing to master when coming to Web world from a desktop application perspective.

• Session is used to store per-user information for the current Web session on the server. It supports using a database server as the back-end store.
• Cookie should be used to store per-user information for the current Web session or persistent information on the client, therefore client has control over the contents of a cookie.
• Cache object is shared between users in a single application. Its primary purpose is to cache data from a data store and should not be used as a primary storage. It supports automatic invalidation features.
• Application object is shared between users to store application-wide state and should be used accordingly.

If your application is used by a number of unauthenticated users, I suggest you store the data in a cookie. If it requires authentication, you can either store the data in the DB manually or use ASP.NET profile management features.

Exploring Session in ASP.NET

https://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net#43