LANGUAGES: C# | VB.NET
TECHNOLOGIES: HTML | Cookies | Session Variables
Session Variables vs. Cookies
By Josef Finsel
What's the difference between storing something in a session variable and storing something in a cookie?
- SK, Willmar, Minn.
The difference is where the information is stored and how long it is kept. The HyperText Transfer Protocol (HTTP) is essentially stateless, meaning every request from a Web client (such as a browser) to the Web server has no connection to another request. When you connect to a Web site, then click on a link that takes you to another page within that Web site, HTTP has no built-in functionality to tell the Web server that this is a continuation of the earlier connection. This was initially remedied by cookies.
Although much ado has been made about cookies, they are really nothing more than a text file placed on your hard drive by a Web Page server. This happens when the Web server passes a request to the Web client to store a piece of information that the Web client will then send to the Web server every time it requests a page from that server. For instance, if the user fills in a form with their name, you can save that name to a cookie on their client and, when they click on another page or come back later from that same client, the cookie will tell you what their name is.
You can accomplish the same thing using a session variable, but it creates a dictionary object on the server for that connection, which uses server memory. Depending on the browser and the way session state is defined for the site, the session might actually create a cookie with an identifier that will store a reference to the dictionary object. Unlike cookies, which can have an expiration date measured in months or years, session-level variables expire when the connection times out. Generally, if you create a session object for a user who leaves the Web site and comes back two days later, the session object will be thrown away. In fact, the length of time a session object hangs around is determined by a setting in the web.config file. In the accompanying sample code (see end of article for download details), the setting has been modified to two minutes from the default of 20:
To demonstrate the difference between session variables and cookies, I've put together a simple Web form that asks for your name and stores it in a cookie along with the system-generated session ID (see end of article for download details).
The first time you load the form, no cookie data is available. When you submit the form for the first time, cookie data is still unavailable because creating the cookie is the last thing we do. If you submit the form a third time, you should see cookie and session data available. If you modify the name and resubmit it, you'll see the cookie name always reflects the old name because updating the cookie is the last thing we do.
Now, if you wait about three minutes and submit it again, you'll see the session ID has changed (if you forgot to modify the web.config file, you will have to wait about 21 minutes). If you wait another 11 minutes and resubmit the form, and you'll see the cookie has expired and no data is available.
Have a question? Send it to [email protected].
The files referenced in this article are available for download.
Josef Finsel is a software consultant with G.A. Sullivan, a global software development company. He has published a number of VB and SQL Server-related articles and is working on the syntax for FizzBin.NET, a programming language that works the way programmers have always suspected. He's also author of The Handbook for Reluctant Database Administrators (Apress).