ASP. NET: simple session and cookie

In the personnel file management system, I have a deep understanding of session and cookie usage. Next I will summarize and learn this knowledge point.

What is a session?

Simply put, it is the number that the server sends to the client. When a WWW server is running, several users may browse the website running on this server. When a user establishes a connection with the WWW server for the first time, the user establishes a session with the server, and the server automatically assigns a sessionid to the user to identify the unique identity. This sessionid is a string randomly generated by the WWW server consisting of 24 characters. This unique sessionid is of great practical significance. When a user submits a form, the browser automatically attaches the user's sessionid to the HTTP header information (this is an automatic function of the browser and the user will not notice it ), after the server processes the form, it returns the result to the user corresponding to the sessionid. In addition to sessionid, each session contains many other information. However, for ASP or ASP. NET Programming and programming, the most useful thing is to access ASP/ASP. NET's built-in Session object to store their own information for each user.

Session Object

When you operate an application, open it, make some changes, and close it. This is similar to a session ). The computer knows who it is. It knows when to open and close the application. However, there is a problem on the Internet: the Web server does not know who you are and what you have done because the HTTP address cannot survive.

ASP solves this problem by creating a unique cookie for each user. The cookie is sent to the client, which contains user identification information. This interface is called a session object.

The Session object is used to store user information or change the settings for a user's session. Variables stored in the session object store information of a single user and are available for all pages in the application. Stored in
The information in the session object is usually name, ID, and parameter. The server creates a new
And cancel the session object when the session expires.

 

 

When does the session start?

The session starts:

• When a new user requests an ASP file and the Global. Asa file references the session_onstart subroutine;

• When a value is stored in the session variable;

• When a user requests an ASP file and Global. Asa uses the <Object> label
  When session scope is used to demonstrate an object;

 

When will the session end?

If the user does not request or refresh the page in the application within the specified time, the session will end. The default value is 20 minutes.

If you want to set a longer or shorter timeout interval, you can set the timeout attribute.

The following example sets a 5-minute timeout interval:

<% Session. Timeout = 5%> to terminate a session immediately, use the abandon method: <% session. Abandon %>

 

Instances used in the personnel files:

 

// Determine whether the login is successful if (user. exists (enuser. userid, enuser. PWD) {enuser = user. getModel (enuser. userid); // successful logon session ["admin"] = enuser. realname; // txtusername. text. trim (); // session is equivalent to a session. When the browser is closed, the session is terminated. // String strdatetime = datetime. Now. tostring ("yyyymmddhhmmss"); response. Redirect ("list. aspx ");

 

 

 

 

Note: The main problem when to use sessions is when they should end. We do not know whether the user's recent request is the final request. Therefore, we do not know how
How long is the session "active. Waiting for a idle session for too long will exhaust server resources. However, if the session is deleted too early, the user has to start over and over again, because the server has deleted all the information. It is very difficult to find the appropriate timeout interval, so if you are using
Do not store a large amount of data in session variables.

 

 

What is a cookie?

Cookies are transmitted between the Web server and the browser as user requests and pages. Each time a user accesses a site, the Web application can read the information contained in the cookie, data (usually encrypted) stored on the user's local terminal for some websites to identify users and track sessions ).

 

Cookiecan keep your information stored in their computer information (.txt text files), so that the server can identify the computer (encrypted by its own encryption algorithm) to the user's next session with the server, in other words, next time you access the same website, you will find that you have logged on without entering your username and password (of course, You cannot delete the cookie manually ). Some cookies are deleted when the user exits the session, which can effectively protect personal privacy. Different browsers have different cookie values and belong to their own browsers.

 

For example, if you choose to remember that the cookie life cycle of a week is one week on the csdn login interface, it will be automatically destroyed after one week.

When a cookie is generated, an expire value is specified. This is the cookie life cycle. During this period, the cookie is valid and will be cleared if it exceeds the cycle. Some pages set the cookie lifecycle to "0" or a negative value. When the browser is closed, the cookie will be cleared immediately and user information will not be recorded (personal information of the online bank is logged ), more secure.

Cookie creation:

Cookie in ASP. NET: Method for creating a cookie (1)
　

Response. cookies ["username"]. value = "admin"; response. cookies ["username"]. expires = datetime. now. adddays (1); // if no expiration time is set, the cookie information will not be written to the user's hard disk, and the browser will be discarded if it is disabled.

Cookie in ASP. NET: Method for creating a cookie (2)
　

Httpcookie acookie = new httpcookie ("lastvisit"); // The last access time acookie. value = datetime. now. tostring (); acookie. expires = datetime. now. adddays (1); response. cookies. add (acookie );

　

Cookie in ASP. NET: Access cookie Method
　　

If (request. Cookies ["username"]! = NULL) label1.text = server. htmlencode (request. Cookies ["username"]. Value); Method for accessing cookies (2) if (request. Cookies ["username"]! = NULL) {httpcookie acookie = request. Cookies ["username"]; label1.text = server. htmlencode (acookie. Value );}

　　

　

3: Differences and relationships between the two

 

 

 

 

Summary

During the use of cookies, the life cycle and security of cookies are the most important considerations. How to Prevent cookie spoofing is further studied. In terms of security, session forgery is much harder than Cookie forgery, the session is relatively safer. to ensure data security and access convenience, we must use both of them to provide services for our software and reliable data for our customers.