Do session use cookies?

Question

This is an interview question asked a month ago....

Do session use cookies? If so,how do they do so?

Assume Session["UserId"]=1 how does this session variable uses cookies internally? If so, what will be the name of the cookie and what is the value of that cookie....

score 13 · Accepted Answer · answered Apr 07 '10 at 03:35

13

Whilst the data its self is stored on the server (or in SQL if configured that way), there needs to be a way to associate session data with specific users.

By default this is done with a cookie, but you can configure cookieless in which case the unique id is stored in the URL.

From Microsoft:

ASP maintains session state by providing the client with a unique key assigned to the user when the session begins. This key is stored in an HTTP cookie that the client sends to the server on each request. The server can then read the key from the cookie and re-inflate the server session state.

http://msdn.microsoft.com/en-us/library/ms972429.aspx

answered Apr 07 '10 at 03:35

Michael Shimmins

19,961
7
57
90

The article mentions nearly every details. Session ID must be passed between the browser and the server, so IIS/ASP.NET can know which session object needs to be used for a certain request. – Lex Li Apr 07 '10 at 04:49
Check [this](http://stackoverflow.com/questions/6353703/session-cookie-some-misunderstandings) – Jibin Jun 21 '11 at 05:27

score 3 · Answer 2 · answered Mar 27 '16 at 14:55

Every session will have SessionID. And Session ID is a unique number, server assigns to a specific user, during his visit(session). And defaultely, session ID is attached to a cookie and this cookie will be shared from client to server (and server to client) during its requests/responses. And server will identify session based on session id which is retrieved from cookie.

And regarding cookieless, if your browser doesnt support cookie or disabled, then cookieless will be used. Since it is Cookieless, asp.net can not create a cookie to save session id. Instead, the session id will be passed in query string...

score 0 · Answer 3 · answered Jun 30 '21 at 04:32

Yes, Session management is done using a kind of session-id i.e. cookies. cookies maintained in the browser help backend to identify users.

If you access an application from two browsers of same machine then two cookies will be maintained where each browser is a separate user for Asp.Net backend application

score -9 · Answer 4 · answered Apr 07 '10 at 03:30

-9

no, stored on server somewhere in tmp folder. sessions are serverside, cookies are client side.

answered Apr 07 '10 at 03:30

sdot257

10,046
26
88
122

1

Cookies are the default method of tying a user's session id to the session data on the server. – Michael Shimmins Apr 07 '10 at 03:35
in php sessions are stored on server. i didnt realize this was asp. my bad. – sdot257 Apr 07 '10 at 03:39
2

You're right in that the actual variable is stored on the server (though you can provide a different session state provider), but as Michael Shimmins points out, session token is stored in a cookie by default. – Roman Apr 07 '10 at 03:40
this would suck, if it's in a cookie, can't you manipulate the cookie? – sdot257 Apr 07 '10 at 03:45
In theory yes, you can change your session token to be something else, and if you correctly guess another session token you can hijack that person's session. But if your session tokens are generated fairly randomly, changing your token to some random token just means your session won't be retrieved properly next server request. – Roman Apr 07 '10 at 03:58
2

This is such a huge misconception I see amongst many (of my fellow) PHP developers. A PHP session id is just as well stored in a cookie on the client side. How else (excluding the less secure URL token methods) would PHP be able to identify the session id? Think about it. – Decent Dabbler Apr 07 '10 at 04:23

Do session use cookies?

4 Answers4

Linked