locked
Using session cookies in asp.net MVC application RRS feed

  • Question

  • User-1960232052 posted

    Hi, I am working on a web application designed using ASP.net with MVC framework. I have used session data to store user specific data. Recently, it has been suggested to use path specific session cookie, to implement session security. However, when I add path to the session cookie, then I lose the session data at every call to the controllers. What am I doing wrong, and how can I implement session path along with making sure that the session data is not lost?

    I have used State Server session mode.

    Thursday, June 28, 2018 2:58 PM

All replies

  • User1724605321 posted

    Hi Priyanka3008,

    Please check how you set the path  .From article ASP.NET Cookies Overview :

    To limit cookies to a folder on the server, set the cookie's Path property, as in the following example:

    HttpCookie appCookie = new HttpCookie("AppCookie");
    appCookie.Value = "written " + DateTime.Now.ToString();
    appCookie.Expires = DateTime.Now.AddDays(1);
    appCookie.Path = "/Application1";
    Response.Cookies.Add(appCookie);

    The path can either be a physical path under the site root or a virtual root. The effect will be that the cookie is available only to pages in the Application1 folder or virtual root. For example, if your site is called www.contoso.com, the cookie created in the previous example will be available to pages with the path http://www.contoso.com/Application1/ and to any pages beneath that folder. However, the cookie will not be available to pages in other applications such as http://www.contoso.com/Application2/ or just http://www.contoso.com/.

    To session cookie , this cookie contains only an id, not the actual values. The actual values could be stored either in the server memory, a separate process, or even SQL Server depending on the <sessionState mode="" in web.config. Then when later the client sends another request it will send this cookie id to the server and given id the server will fetch the actual values.

    The client browser stores those cookies in memory, meaning that if you close it, the session will be lost because session cookies are not persistent.

    Best Regards,

    Nan Yu

    Friday, June 29, 2018 6:17 AM