Wednesday, January 1, 2014

Cookies

Cookie is a small bit of text transferred between client and server. It contains information needed for the web applications. 
  • Most browsers support cookies of up to 4096 bytes. Most browsers allow only 20 cookies per site. Some browsers also put an absolute limit, usually 300. 
  • A cookie limitation that you might encounter is that users can set their browser to refuse cookies. Although cookies can be very useful in your application, the application should not depend on being able to store cookies. The browser is responsible for managing cookies on a user system. 
  • Cookies are sent to the browser via the HttpResponse object that exposes a collection called Cookies. You can also set a cookie's date and time expiration. Expired cookies are deleted by the browser. If you do not set the cookie's expiration, the cookie is created but it is not stored on the user's hard disk. Instead, the cookie is maintained as part of the user's session information. 
  • When the user closes the browser, the cookie is discarded. A non-persistent cookie like this is useful for information that needs to be stored for only a short time or that for security reasons should not be written to disk on the client computer. 
  • Cookies derives from a specialized collection of type NameObjectCollectionBase. You can also store multiple name-value pairs in a single cookie. referred to as subkeys. all cookies are sent to the server with any request to that site.
  • You can set the scope of cookies in two ways: 
    • Limit the scope of cookies to a folder on the server
    • Set scope to a domain
  • By default, cookies are associated with a specific domain
  • If the cookie does not exist, you will get a NullReferenceException exception if try to read it.
  • Notice also that the HtmlEncode method was called to encode the contents of a cookie before displaying it in the page. 
Deleting Cookies
You cannot directly remove a cookie because the cookie is on the user's computer. The technique is to create a new cookie with the same name as the cookie to be deleted, but to set the cookie's expiration to a date earlier than today.

//Setting a cookie
            HttpCookie cookie = new HttpCookie("cookie1", "cookieValue");
            cookie.Expires = DateTime.Now.AddSeconds(30);
            Response.AppendCookie(cookie);

//Reading cookies
            var cookie = Request.Cookies;
            string[] cookies = Request.Cookies.AllKeys;

            foreach (string cookie in cookies)
            {
                Response.Cookies[cookie].Expires = DateTime.Now.AddDays(-1);
            }

Security
You should never store sensitive data in a cookie. SSL does not protect the cookie from being read or manipulated while it is on the user's computer, but it does prevent the cookie from being read while in transit because the cookie is encrypted.

By default, ASP.NET uses a non-persistent cookie to store the session state. However, if a user has disabled cookies on the browser, session state information cannot be stored in a cookie.

ASP.NET offers an alternative in the form of cookieless sessions. You can configure your application to store session IDs not in a cookie, but in the URLs of pages in your site. If your application relies on session state, you might consider configuring it to use cookieless sessions. However, under some limited circumstances, if the user shares the URL with someone else—perhaps to send the URL to a colleague while the user's session is still active—then both users can end up sharing the same session, with unpredictable results.


HttpCookieMode
Specifies how cookies are used in the web application. It is used to specify cookieless attribute in sessionState configuration section. 
Link1 and MSDN 

Resources

0 comments:

Post a Comment

Powered by Blogger.


Software Architect at Surge Global/ Certified Scrum Master

Experienced in Product Design, Software Engineering, Team management and Practicing Agile methodologies.

Search This Blog

Facebook