The relationship and difference between session and Cookie in asp.net

Session is a server-side storage space maintained by the application server, and when users connect to the server, a unique SessionID is generated by the server, using the SessionID as an identifier to access the server-side session storage space. And SessionID this data is saved to the client, with a cookie
Session is a server-side storage space maintained by the application server, and when users connect to the server, a unique SessionID is generated by the server, using the SessionID as an identifier to access the server-side session storage space. And SessionID this data is saved to the client, saved with cookies, when the user submits the page, the SessionID is submitted to the server side to access the session data. This is a process that is not interfered with by developers. So once the client disables cookies, the session is invalidated.

The server can also pass SessionID values through URL rewriting, so it is not entirely dependent on cookies. If the client cookie is disabled, the server can automatically save the session value by overriding the URL, and the process is transparent to the programmer.

You can try it, even if you don't write cookies, use Request.getcookies (), and the length of the cookie array is 1, and the cookie's name is Jsessionid, and there's a very long binary string, Is the value of the SessionID.

Cookies are the storage space of the client and are maintained by the browser.
On occasions like voting, we tend to ask everyone to vote for a fair number of reasons, and there are similar situations in web development where we usually use cookies, such as the following code:

The code is as follows	Copy Code
<% Cookie[]cookies = Request.getcookies (); if (cookies.lenght = 0 | | | cookies = NULL) Dostufffornewbie (); has not been visited } Else { Dostuffforreturnvisitor (); I've already visited it. } % >

This is very straightforward to detect the existence of cookies, if there is a description of the code has been run write cookies, however, after running the above code, whenever the results are executed dostuffforreturnvisitor (), Through the Control Panel-internet options-Settings-View the file but always do not see the generated cookie file, strange, the code is clearly no problem, but since there is a cookie, it is shown to see.

The code is as follows	Copy Code
Cookie[]cookies = Request.getcookies (); if (cookies.lenght = 0 | | | cookies = NULL) Out.println ("has not visited this website"); } Else { for (int i = 0; i < cookie.length; i++) { OUT.PRINTLN ("Cookie name:" + cookies[i].getname () + "cookie value:" + Cookie[i].getvalue ()); } }

Run Result:
Cookie Name:jsessionid Cookie Value:kwjhug6jjm65hs2k6

Why is there a cookie, as we all know, HTTP is a stateless protocol, every time the customer read the Web page, the server opened a new session, and the server will not automatically maintain the client's contextual information, then how to achieve the online store in the shopping cart, Session is a mechanism to save context information, it is for each user, the value of the variable is stored on the server side, through SessionID to distinguish between different customers, session is based on cookie or URL rewrite, the default use of cookies to achieve, The system creates an output cookie called Jsessionid, which we call the session cookie to differentiate the persistent cookies, which is what we usually call cookies, note session Cookies are stored in the browser memory, not on the hard drive, which is what we just saw jsessionid, we usually do not see the jsessionid, but when we put the browser cookie ban, The Web server uses URL rewriting to pass SessionID, and we can see strings like sessionid=kwjhug6jjm65hs2k6 in the address bar.
Understand the principle, we can easily distinguish between the persistent cookies and the session cookie, the Internet on the security of the discussion is also at a glance, a session cookie for a conversation, Sessions end The cookie disappears, and the persistent cookie is just a piece of text (usually encrypted) that exists on the client's hard disk, and can be compromised by cookie spoofing and cross-site scripting against cookies, which is naturally less secure than the session cookie.
Usually the session cookie is not used across windows, and when you open a new browser window into the same page, the system gives you a new SessionID, so that the purpose of our information sharing is not reached, At this point we can save the SessionID in a persistent cookie and then read it in a new window to get the previous window SessionID, so that the session cookie and persistent The combination of cookies enables us to implement a cross window session tracking (conversation tracking).
In some web development books, it is often simply the way to send sessions and cookies as two parallel HTTP messages, session cookies are on the server side, and persistent cookies are located on the client, But the session is based on cookies.

Session is often used to save values between our user login pages but it is easy to waste server resources, and cookies are saved as TXT file in the client so the security is relatively poor.