Using cookies to store session in ASP MVC

Question

Storing the entire session in a cookie has been standard in Rails for the last few years - is there an easy way to achieve something similar with ASP MVC?

By default, an

Answer 1

yes, implement a custom state session-provider. And no, afaik there isn't a simpler approach.

Ps. it isn't as bad as it looks i.e. > half of the odbc sample is writing to the db.

Answer 2

I think it would be much more efficient to just store the session ID (a hash or whatever) in the cookie, and then use that ID to get the session data from memory / database / whatever storage you prefer. Keeping the full session state in a cookie increases bandwidth innecessarily.

Also, keep security in mind: if the cookie contains authentication information or other sensitive data and you're not careful, it can easily be hacked by the user to gain privileges or otherwise mess with your application (encrypting the data sucks too, because then you have to base-64 encode the encrypted data, which further wastes bandwidth and processing time). You should never trust input from the user.

Answer 3

You shouldn't use Sessions for this, but Profiles instead. Profiles use cookies to match computers to profiles, etc. The profile key is stored in a cookie, and isn't lost when closing browser etc.

Info here; http://odetocode.com/articles/440.aspx

Answer 4

depends on what kind of data you want to store in the cookie, if you want just to store string, the following code will do:

HttpCookie cookie = new HttpCookie("username","sth");
            cookie.HttpOnly = true;
            cookie.Expires = DateTime.Now.AddMonths(3);
            HttpContext.Current.Response.Cookies.Add(cookie);

Answer 5

I would strongly discourage storing the entire session in cookies. It has bad performance implications. Consider this: every request (to every resource) will contain an overhead of possibly stale data that you only need once or twice. Eventually this overhead will hit your users, your bandwidth and your site performance.

Here's an example:

GET / HTTP/1.1
Host: localhost
OtherUsefulHeaders: foo
Cookie: YourSessionState=...

Initial request size is around 200 bytes. Let's say, you add around 100 bytes to your session. Now the size is 300 bytes and overhead is ~30%. You add another 100 bytes, and overhead is 50%. Which means it roughly requires 2x time to send the request and 2x bandwidth.

You should rather look into cookie-based TempData implementation as it has much smaller footprint and actually makes sense.

Answer 6

I recommend storing TempData in the cookie (as opposed to the entire session).

In order to store TempData in the cookie, you need to override ITempDataProvider and implement your own custom provider.

There is actually a nuget package available (which does this custom implementation for you): BrockAllen.CookieTempData and here is the documentation. The good thing about this package is that it both compress and encrypts your TempData, so you don't need to worry about sending plain text over the Internet.

All you need to do is to install the nuget package and then override CreateTempDataProvider in your ControllerBase class:

using BrockAllen.CookieTempData;

namespace myProject.web.Controllers
{
    public class ControllerBase : Controller
    {
        // use CookieTempDataProvider instead of default provider
        protected override ITempDataProvider CreateTempDataProvider()
        {
            return new CookieTempDataProvider();
        }
    }
}