ASP.NET Cookies FAQ

源代码网整理以下Some information we"ve compiled from various sources, along with some of our own discoveries about cookies and ASP.NET. We will continue to add content to this article over time and in response to questions.
ASP.NET Cookies Overview

源代码网整理以下Cookies are associated with a Web site, not with a specific page, so the browser and server will exchange cookie information no matter what page the user requests from your site. As the user visits different sites, each site might send a cookie to the user"s browser; the browser stores all the cookies separately.

源代码网整理以下Cookie Limitations

源代码网整理以下Most browsers support cookies of up to 4096 bytes. THerefore, cookies are best used to store small amounts of data, or even better,only an identifier such as a user ID. This user ID can then be used to identify the user and read user information from a database or other data store. In the case of Forms Authentication, the Forms cookie can store its own expiration time, as well as custom UserData (roles, preferences, etc.) This can eliminate the need to use Session to store small amounts of user-specific data. Forms auth cookies are normally encrypted. Cookie data can be compressed to allow storage of entire classes in .Net.

源代码网整理以下Browsers impose limitations on how many cookies your site can store on the user"s computer. Most browsers allow only 20 cookies per site; if you try to store more, the oldest cookies are discarded. Some browsers also put an absolute limit, usually 300, on the number of cookies they will accept from all sites combined.

源代码网整理以下A cookie limitation that you might encounter is that users can set their browser to refuse cookies. If you define a P3P privacy policy and place it in the root of your Web site, more browsers will accept cookies from your site. Instead of creating and uploading privacy policies to your sites, you can also serve a “compact policy,” i.e. a “p3p” HTTP header, e.g.: “IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT”. A policy generator can produce one instead of an XML file. In ASP.NET it’s a one-liner that you can put into your page base class or master page:

源代码网整理以下HttpContext.Current.Response.AddHeader ("p3p","CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"");

源代码网整理以下If you do so programmatically, just make sure to add this line early in the page life cycle. If your code redirects or throws an exception too early, the “p3p” header will be missing. As an alternative, you can get IIS to send this header at all times, but in this case the header will appear on everything: images, stylesheets, JavaScript files, etc. Those files don’t really need it.

源代码网整理以下You can review the official P3P Policy specification here:  http://www.w3.org/P3P/usep3p.html 软件开发网 www.mscto.com

源代码网整理以下Although cookies can be very useful in your application, you should try to avoid having the application depend on being able to store cookies. Do not use cookies to support critical features. If your application must rely on cookies, you can test to see whether the browser will accept cookies. ASP.NET Session relies on cookies. With ASP.NET, we have the ability to configure the Session as "cookieless" where the SessionId is "munged" onto the URL. You can also set this to "auto" and the runtime will determine which mode to use.

源代码网整理以下Writing Cookies 软件开发网 www.mscto.com

源代码网整理以下The browser manages cookies on a user system. Cookies are sent to the browser via the HttpResponse object that exposes a collection called Cookies. You can access the HttpResponse object as the Response property of your Page class. Any cookies that you want to send to the browser must be added to this collection. When creating a cookie, you specify a Name and Value. Each cookie must have a unique name so that it can be identified later when reading it from the browser. Because cookies are stored by name, naming two cookies the same will cause one to be overwritten.

源代码网整理以下You can also set a cookie"s date and time expiration. Expired cookies are deleted by the browser when a user visits the site that wrote the cookies. The expiration of a cookie should be set for as long as your application considers the cookie value to be valid. For a cookie to effectively never expire, you can set the expiration date to be 50 years from now.

源代码网整理以下Note: Users can clear the cookies on their computer at any time. Utilities such as CCleaner ("crap cleaner") allow you to set the cookies you want to keep, and delete all the rest.
 

源代码网整理以下If you do not set the cookie"s expiration, the cookie is created but it is not stored on the user"s hard disk. Instead, the cookie is maintained in memory as part of the user"s session information. When the user closes the browser, the cookie is discarded. A non-persistent cookie like this is useful for information that needs to be stored for only a short time or that for security reasons should not be written to disk on the client computer. For example, non-persistent cookies are useful if the user is working on a public computer, where you do not want to write the cookie to disk.

源代码网整理以下ASP.NET 2.0 "HttpOnly" Cookies and fix:

源代码网整理以下Internet Explorer 6 SP1 and higher supports an extra "HttpOnly" cookie attribute that prevents client-side script from accessing the cookie via the document.cookie property. Cookies still round trip.

源代码网整理以下 In ASP.NET 1.1, you can  add this to the Global.asax and catch all the cookies on the way out. You could choose to do this to specific cookies if you like. 软件开发网 www.mscto.com

源代码网整理以下protected void Application_EndRequest(Object sender, EventArgs e)
{  
foreach(string cookie in Response.Cookies)  
{      
  const string HTTPONLY = ";HttpOnly";      
  string path = Response.Cookies[cookie].Path;     
  if (path.EndsWith(HTTPONLY) == false)     
  {          
  //force HttpOnly to be added to the cookie         
  Response.Cookies[cookie].Path += HTTPONLY;      
  }  
  }
  }
 
 ASP.NET 2.0 can do all this for you via a Web.config setting.

源代码网整理以下GOTCHA: If you do this in your ASP.NET 1.1 app and then run your 1.1 app under 2.0 without changes, be aware that ASP.NET 2.0 will append ANOTHER HttpOnly after every cookie giving you the value TWICE. You"ll then need to turn if off in web.config as your code would be handling it.

源代码网整理以下<httpCookies httpOnlyCookies="false" requireSSL="false" domain="" />

源代码网整理以下
You can add cookies to the Cookies collection in a number of ways. The following example shows two methods to write cookies:

源代码网整理以下Response.Cookies["userName"].Value = "patrick";
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(1);
// the above creates the cookie, or overwrites it if the cookie already exists.

源代码网整理以下HttpCookie aCookie = new HttpCookie("lastVisit");
aCookie.Value = DateTime.Now.ToString();
aCookie.Expires = DateTime.Now.AddDays(1);
Response.Cookies.Add(aCookie);

源代码网整理以下
The example adds two cookies to the Cookies collection, one named userName and the other named lastVisit. For the first cookie, the values of the Cookies collection are set directly. You can add values to the collection this way because Cookies derives from a specialized collection of type NameObjectCollectionBase.

软件开发网 www.mscto.com

源代码网整理以下For the second cookie, the code creates an instance of an object of type HttpCookie, sets its properties, and then adds it to the Cookies collection via the Add method. When you instantiate an HttpCookie object, you must pass the cookie name as part of the constructor.

源代码网整理以下Both examples accomplish the same task, writing a cookie to the browser. In both methods, the expiration value must be of type DateTime. However, the lastVisited value is also a date-time value. Because all cookie values are stored as strings, the date-time value has to be converted to a String .

源代码网整理以下Cookies with More Than One Value

源代码网整理以下You can store one value in a cookie, such as user name or last visit. You can also store multiple name-value pairs in a single cookie. The name-value pairs are referred to as subkeys.  For example, instead of creating two separate cookies named userName and lastVisit, you can create a single cookie named userInfo that has the subkeys userName and lastVisit.

源代码网整理以下You might use subkeys for several reasons. First, it is convenient to put related or similar information into a single cookie. In addition, because all the information is in a single cookie, cookie attributes such as expiration apply to all the information.

源代码网整理以下A cookie with subkeys also helps you limit the size of cookie files. As noted earlier in the "Cookie Limitations" section, cookies are usually limited to 4096 bytes and you can"t store more than 20 cookies per site. By using a single cookie with subkeys, you use fewer of those 20 cookies that your site is allotted. In addition, a single cookie takes up about 50 characters for overhead (expiration information, and so on), plus the length of the value that you store in it, all of which counts toward the 4096-byte limit. If you store five subkeys instead of five separate cookies, you save the overhead of the separate cookies and can save around 200 bytes.

源代码网整理以下To create a cookie with subkeys, you can use a variation of the syntax for writing a single cookie. The following example shows two ways to write the same cookie, each with two subkeys:

源代码网整理以下
Response.Cookies["userInfo"]["userName"] = "patrick";
Response.Cookies["userInfo"]["lastVisit"] = DateTime.Now.ToString();
Response.Cookies["userInfo"].Expires = DateTime.Now.AddDays(1);