ASP.NET session vs session state and cookies vs cookie less

Question

Please help me whether my understanding is right.

1. ASP.NET sessions are stored on the web server and no cookies whatsoever are used for this.

2. ASP.NET if configured to use session with webconfig->session state: then we can configure it as either stateconnection or as sqlconnection.

3. ASP.NET if configured to use session state (either as stateconnection or as sqlconnection) then when user uses sessions in code then the cookies on client machine are used unless you specify in webconfig that cookieless=true

4. If we use <sessionState cookieless="true" /> then by default the stateconnection is set to localhost

Answer 1

Session : stored on server (memory or DB) and all pages in web application can use data in it.

Session State : store and retrieve values for a user as the user navigates pages in a web application.

Cookies : stored on client side as a file containing non sensitive data, but data like user favorites and preferences.

Cookieless : pass session id in URL query string and not storing it in cookies, in case you expect user to prevent or delete cookies.

Answer 2

When talking about Session in many dynamic web sites you want to store user data between HTTP requests (because http is stateless and you can't otherwise associate a request to any other request), but you don't want that data to be readable / editable at client side because you don't want the client to play around with that data without passing through your (server side) code.

The solution is to store that data server side, give it an "id", and let the client only know (and pass back at every http request) that id. There you go, sessions implemented. Or you can use the client as a convenient remote storage, but you would encrypt the data and keep the secret server-side.

Of course there are other aspects to consider, like you don't want people to hijack other's sessions, you want sessions to not last forever but to expire, and so on.

Session State contains information that is pertaining to a specific session (by a particular client/browser/machine) with the server. It's a way to track what the user is doing on the site.. across multiple pages...amid the statelessness of the Web. e.g. the contents of a particular user's shopping cart is session data. Cookies can be used for session state.

Cookies are small pieces of text, stored on the client's computer to be used only by the website setting the cookies. This allows webapplications to save information for the user, and then re-use it on each page if needed. Every session will have SessionID. And Session ID is a unique number, server assigns to a specific user, during his visit(session). And defaultely, session ID is attached to a cookie and this cookie will be shared from client to server (and server to client) during its requests/responses. And server will identify session based on session id which is retrieved from cookie.

And regarding cookieless, if your browser doesnt support cookie or disabled, then cookieless will be used. Since it is Cookieless, asp.net can not create a cookie to save session id. Instead, the session id will be passed in query string.