How does google, facebook handle the user session?

Question

I want to implement the session in my asp.net application which never expires until user logout,The session has to be alive after pc restart, I have seen the same functionality in some of the site e.g. Google, How they manage the session?

Answer 1

What you are looking for is called a Persistent Cookie.

Related answer: How to create persistent cookies in asp.net?

Answer 2

I don't think Google or Facebook keeps users' session alive forever. They reset the expiration and advance it further as user keeps on coming back to their site.

Sessions are managed using Session Cookie. Session cookie is one handle value that is stored with the browser and gives a website one unique ID for a particular session.

Do this little experiment, go to facebook.com and sign-in with your account. Then type the following the the URL Bar and press enter

javascript:alert(document.cookie);

Be sure to type up the leading javascript: some browsers omit that part in copy-paste

You will see a popup box like this.

It is very apparent that facebook's session cookie is called presence.

Now run the following and refresh the facebook window afterwards.

javascript:window.execScript("document.cookie=''");

Facebook is asking you to login right? Because you cleared your facebook cookie and now facebook does not know who you are.

Now most server-side scripting technologies such as ASP.NET do not make their session cookie persistent, and rightly so because you don't want all the data to be persistent for user to be able to come back to. You probably want just the Log-In info somehow. For that you would need to create your own cookie and you have to check that cookie on your Login.aspx.cs.

Some things to consider when saving user's details in the cookie, such as add user ID, User Agent, and make the cookie encrypted. You need User Agent or any other way to uniquely identify a user's machine to save your users from Man-In-The-Middle attacks, some websites keep the IP address in that and match the IP every time your login page finds that cookie.

To learn more about storing persistent cookies, check MSDN.

Answer 3

I'm not 100% sure, but I'm positive they use authentication cookies. There's an interesting post about this here, with some other external links. Hope it helps.