Cookie Basics
Cookies are a basic feature of ASP.NET, and are automatically implemented when Forms Authentication is configured for your web site. Cookies usage can be configured through the ‘Cookieless’ setting of Forms Authentication in the web.config page. On a security note, you should never ask a user if they want their info persisted (”Remember me Next Time” checkbox), because they creates a huge opportunity for hackers to forge identities. Another security note is to always use Server.HtmlEncode(Request.Cookies["name of cooke"].Value when you are accessing cookies from the user. NEVER TRUST USER INPUT!
Their are four settings for cookieless: AutoDetect, UseCookies, UseUri and the default UseDeviceProfile. The default will only check the browser capabilities files in ASP.NET to see if the user’s browser supports cookies. AutoDetect will actually probe the user’s browser to see if the user has disabled cookies after checking the browser profiles. Either setting can send the authentication token as part of the URL, but AutoDetect is the only setting that will work with those users who have disabled cookies. The UseUri will automatically send the token through the Uniform Resource Identifier (the last section of the URL), but the token will be part of any bookmark of URL emailed by the user.
To set a custom cookie, developers must use the Response.Cookies method and access the Value property. Developers also have the Expires, Domain and Path properties to fine tune their cookie. Examples:
Response.Cookies["name of cookie"].Value = "5"; // all cookie values are stored as strings
Response.Cookies["name of cookie"].Expires = DateTime.Now.AddDays(1);
Response.Cookies["name of cookie"].Path = "/myfolder"; //cookies will be sent to server only for pages located in myfolder
Response.Cookies["name of cookie"].Domain = "mysite.com" //cookies limited to domain or subdomains only
Response.Cookies["name of cookie"]["value name"].Value = "value" //for holding multiple values in one cookie
You can even limit the cookie to a single server by using the hostname of the server in the Domain property. If you don’t set an Expires property, the cookie will be automatically deleted when the user closes their browser. You cannot delete a cookie on a user’s computer, but you can overwrite it and then set a date in the past (DateTime.Now.AddDays(-1) to have the browser delete the cookie.
To check if the user already has a cookie and then access the cookie use the following:
if (Request.Cookies["name of cookie"] != null)
label1.Text = Server.HtmlEncode(Request.Cookies["name of cookie"].Value);
Just remember, Request is from the user and Response is being sent to the user. Sessions are also dependent on cookies and can set the cookie encoding to be sent through the URI with sessionState cookieless = “true”
If you have tracing set up in your web.config file, you can use trace.axd to track and debug cookies.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Leave a comment