Re: Asp| Cookies vs Session Variables

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/31/04 

Date: Wed, 31 Mar 2004 19:28:58 +1000

An in-memory cookie is stored in the client's memory. However the entire
cookie is transmitted between the browser and server for every request and
response (with the session variables, only the ASPSessionID is transmitted
in the cookie). So, if you store 30kb of stuff in there, it'll be quite
slow! Additionally, unless you use some kind of encyption mechanism, the
cookie's contents will be in plaintext, and can be altered by a malicious
user (either the end user, or a man-in-the-middle).

Session variables themselves aren't a particular burden on a server. Suppose
you have 1,000 active sessions, and you store a couple of hundred bytes for
each user - how much server memory is that? Not a great deal. Managing the
sessions consumes a few more MB, but that's about it. More worrying is the
fact that it's not easy to get "out" of an application that designed to use
in-memory ASP session variables (.e.g you can't port half the app to ASP.Net
or something, it'll all-or-nothing).

Cheers
Ken

"Ricardo" <anonymous@discussions.microsoft.com> wrote in message
news:78D28C7C-F02C-4BAD-B3E1-7E6CE32B4788@microsoft.com...
: Howdy ...
:
: I am wanting to maintain session state for an intranet application but the
session timeout is becoming a problem, due to the need to spend quite a long
time in filling in individual forms. I have currently set the session
timeout to 30 minutes but this is not the ideal situation due to the
overhead on the server.
:
: The alternative, I believe is to store the info. in cookies rather than
session variables. I sort of figured "in-memory" cookies may be the way to
go ('cos I do not want to write the data to disk).
:
: Will the load on the server be reduced if I were to use 'in-memory'
cookies instead of session variables?
: I undestand that cookies are stored on the local pc, but if I do not
specify an expiry date which causes it to become an 'in memory' cookie, who
bears the memory cost, the server or the user Pc?
:
: Thanks in advance.....

Relevant Pages

  • Chicken and egg issue with Cookie based login?
    ... I have few questions I hope someone can clear up for me with the cookie ... private web server. ... It also says this about the secret key: ... Second, would be an example of the "Session ID" or more general, what is an ...
    (comp.security.misc)
  • Re: web replication
    ... Session cookies relate to memory in the server, ... cookie, then yes it's a problem if one cannot be certain of which box ... , i'm actually studying the lvs documentation, ipvs via nat use nat to ...
    (comp.os.linux.networking)
  • RE: 2008 Terminal server stops accepting connections and is solved
    ... Memory was added on the ... did you update anything on the terminal server? ... Can you keep a session open for yourself until the next problem occurrs - ... its caused by incoming connections. ...
    (microsoft.public.windows.terminal_services)
  • RE: Trouble with huge amount of State Server Sessions Timed out
    ... "Unable to serialize the session state. ... > State Service or SQL Server can be memory intensive depending on the types ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: tracking logins
    ... You might wonder how after the login is complete that the server can ... By TCP/IP session. ... The server sends a cookie at login time, ...
    (comp.lang.java.programmer)