14.4. Using Cookies

Cookies are key-value pairs that are stored on the client computer. Using cookies to persist information is a simple and easy option in ASP.NET if you need to maintain state when working with Web applications. Cookies are passed along with the HTTP request to the server and are used to identify the user upon receipt.

14.4.1. Advantages to Using Cookies

There are advantages to using cookies within your ASP.NET Web applications to store simple data. First, cookies do not require server resources because none of the cookies are stored on the server. Second, you can set cookies to expire when the browser is shut down or at any date in the future. Therefore, it is possible for the application to remember the user if he returns weeks or months later.

14.4.2. Disadvantages to Using Cookies

There are also some negatives to using cookies. One negative is that cookies need to be small. You cannot send large amounts of data to the clients to store on their machines. Generally, there is a 4,096-byte limit to the size of a cookie, limiting the types of data that you can store. For some applications, cookies can cause some serious security risks. It is easy for knowledgeable users to change cookies. This can be a major problem if you are using cookies to help users gain access to private information.

I know of a financial institution that was storing each user's account number as a cookie on the client's machine. The application that displayed information about the users' accounts used this cookie to give a user access to his account. You can see the problem here. All you had to do was change the numbers in the cookie and you were in someone else's account.

Listing 14-6 provides an example working with cookies.

Example 14-6. Working with cookies

<%@ Page Language="C#" %>

<script runat="server">

    protected void Page_Load(object sender, EventArgs e)
    {
       HttpCookie MyCookie1 = Request.Cookies["CalcAccess"];

if (MyCookie1 != null)
        {
            Label1.Visible = true;
            Label1.Text = "You last accessed this calculator on: " +
                          MyCookie1["LastAccessed"];
        }
    }

    protected void Button1_Click(object sender, EventArgs e)
    {
        HttpCookie MyCookie = new HttpCookie("CalcAccess");

        Label2.Text = ((Int32.Parse(TextBox1.Text) +
                        Int32.Parse(TextBox2.Text)).ToString());

        MyCookie.Values.Add("LastAccessed", (DateTime.Now).ToString());
        Response.AppendCookie(MyCookie);
    }

</script>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Working with Cookies</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <asp:ScriptManager ID="ScriptManager1" runat="server">
        </asp:ScriptManager>
        <p>
            <font face="Verdana" size="2"><strong>
             Enter two numbers and press the Add button.</strong></font></p>
        <p>
            <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox></p>
        <p>
            <asp:TextBox ID="TextBox2" runat="server"></asp:TextBox></p>
        <asp:UpdatePanel ID="UpdatePanel1" runat="server">
            <ContentTemplate>
                <p>
                    <asp:Button ID="Button1" runat="server" Text="Add"
                     OnClick="Button1_Click"></asp:Button></p>
                <p>
                    <asp:Label ID="Label1" runat="server"
                     Visible="False"></asp:Label></p>
                <p>
                    <asp:Label ID="Label2" runat="server"></asp:Label></p>
            </ContentTemplate>
        </asp:UpdatePanel>
    </div>
    </form>
</body>
</html>

In this example, you placed a cookie on the client's machine whenever he accessed the button click event. Therefore, the second time the client clicked the Web application, he was posted a message indicating the last time he accessed the page. You will find that using cookies along with the consumption of Web applications is a good and easy way to maintain state in your applications.