Session Variables vs. Cookies

asp.netNOW Q&A

LANGUAGES: C# | VB.NET

TECHNOLOGIES: HTML | Cookies | Session Variables

Session Variables vs. Cookies

By Josef Finsel

What's thedifference between storing something in a session variable and storingsomething in a cookie?

 - SK, Willmar,Minn.

The difference is where the information is stored and howlong it is kept. The HyperText Transfer Protocol (HTTP) is essentiallystateless, meaning every request from a Web client (such as a browser) to theWeb server has no connection to another request. When you connect to a Website, then click on a link that takes you to another page within that Web site,HTTP has no built-in functionality to tell the Web server that this is acontinuation of the earlier connection. This was initially remedied by cookies.

Although much ado has been made about cookies, they arereally nothing more than a text file placed on your hard drive by a Web Pageserver. This happens when the Web server passes a request to the Web client tostore a piece of information that the Web client will then send to the Webserver every time it requests a page from that server. For instance, if theuser fills in a form with their name, you can save that name to a cookie ontheir client and, when they click on another page or come back later from thatsame client, the cookie will tell you what their name is.

You can accomplish the same thing using a sessionvariable, but it creates a dictionary object on the server for that connection,which uses server memory. Depending on the browser and the way session state isdefined for the site, the session might actually create a cookie with anidentifier that will store a reference to the dictionary object. Unlikecookies, which can have an expiration date measured in months or years, session-levelvariables expire when the connection times out. Generally, if you create asession object for a user who leaves the Web site and comes back two dayslater, the session object will be thrown away. In fact, the length of time asession object hangs around is determined by a setting in the web.config file.In the accompanying sample code (see end of article for download details), thesetting has been modified to two minutes from the default of 20:

                timeout="2"     />   To demonstrate the difference between session variablesand cookies, I've put together a simple Web form that asks for your name andstores it in a cookie along with the system-generated session ID (see end ofarticle for download details).   The first time you load the form, no cookie data isavailable. When you submit the form for the first time, cookie data is stillunavailable because creating the cookie is the last thing we do. If you submitthe form a third time, you should see cookie and session data available. If youmodify the name and resubmit it, you'll see the cookie name always reflects theold name because updating the cookie is the last thing we do.   Now, if you wait about three minutes and submit it again,you'll see the session ID has changed (if you forgot to modify the web.configfile, you will have to wait about 21 minutes). If you wait another 11 minutesand resubmit the form, and you'll see the cookie has expired and no data isavailable.   Have a question? Send it to [email protected].   The files referenced in this article are available fordownload.   Josef Finsel is a software consultant with G.A. Sullivan, aglobal software development company. He has published a number of VB and SQLServer-related articles and is working on the syntax for FizzBin.NET, aprogramming language that works the way programmers have always suspected. He'salso author of The Handbook for ReluctantDatabase Administrators (Apress).