I would like to know can we delete cookie from cookies collection what we have created in asp.net website.I tried & find Expiration Logic.It works but it shows in browser cookie.
Response.Cookies["UserID"].Expires = DateTime.Now.AddDays(-1);
Is there any other way by this we can delete cookies from collection so it will not show in browser cookies.
Please help me to solve the issue.Thanks in advance.
From the documentation:
You cannot directly delete a cookie on
a user's computer. However, you can
direct the user's browser to delete
the cookie by setting the cookie's
expiration date to a past date. The
next time a user makes a request to a
page within the domain or path that
set the cookie, the browser will
determine that the cookie has expired
and remove it.
So, your strategy is the right one, and the cookie should disappear from the browser once the response is received.
I'm not sure you can delete the cookie since you don't have access to delete anything on the client computer. All you can do is basically what you are doing, that is invalidating the cookie for your application. I think it is up to the client software to decide if the cookie should be deleted or not, all you can do is set the timestamp as you are doing and that means that you will no longer accept that cookie.
Related
I have created an asp.net page which store user specific data in session variable.
string key= Session.SessionID;
Session.Add(key,"myData");
Till now I have been testing it on chrome and everything works properly. But as soon as I started testing it on IE 10, the functionality stops working. Later on I figured it out that on each post back the IE returns new value of Session.SessionID while this value is persistent in Chrome.
Please let me know how can I resolve this issue.
You need to enable cookies in IE.
Session works in this way - It depends on client cookie to uniquely identify a client, and it saves the unique value to cookie, and it depends on your web.config setting, if cookieless = false, then it stores in client cookie.
When request comes from a client, it gets your session stored (in server) value using that uniquely identifiable cookie.
If cookie is disabled, it will create new session each time for each request, that is why you are getting new session id every time in IE, as it might have cookie disabled.
I have this code:
Response.Cache.SetExpires(DateTime.Now.AddMinutes(60));
Response.Cache.SetCacheability(HttpCacheability.Public);
I'm trying to cache the entire page on client's browser and any other proxy in between client browser and my servers.
It's all working well until one user logins. After this action all users have in the header the user name and a logout button.
How can I solve this issue?
I think I have 2 options:
Cache the entire page without user info on the header. Then, make a async request to get user's information
Write a cookie every time the user logins and control CDN cache with this cookie (just cache if there is no cookie https://docs.fastly.com/guides/caching/how-do-i-use-a-cookie-as-a-cache-key)
Is there any other solution?
Make use of ESI feature in Akamai.
In a sample/default MVC 4 project, I can see that when the User logs in with Remember Me checkbox on, the persistCookie parameter of the WebSecurity.Login method is set to true.
How exactly does that work? Where exactly is the value of persistCookie is saved? I looked through the tables that are created for the Security feature and do not see anywhere that the user is set to persist login.
What mechanism enables the user to log in? Is it simply the presence of the .ASPXAUTH cookie? Or does it actually compare the cookie value to something that I am not seeing.
How exactly does that work?
By creating a persistent cookie.
Where exactly is the value of persistCookie is saved?
As a file on the client machine so that it survives browser restarts.
What mechanism enables the user to log in?
This mechanism is called persistent cookie. A cookie is considered persistent if when being set the Expires property is being set to some date in the future. In this case the browser will store the cookie on the client computer as a file instead of keeping it in memory.
Here's an example of how creating a persistent cookie looks like in terms of the HTTP protocol:
Set-Cookie: CookieName=CookieValue;Path=/;Expires=Wed, 12-Oct-2016 21:47:09 GMT;
And here's how a setting a session cookie looks like which will not survive browser restarts:
Set-Cookie: CookieName=CookieValue;Path=/;
Now go ahead, download Fiddler and inspect the network traffic to see the difference.
The identity is stored in the cookie and decrypted upon each request.
Persistent cookie means that the cookie will be automatically attached to requests by the browser for some period of time.
No magic and also no need to store open sessions at the server side. As long as a cookie decrypts correctly, it is accepted as the server assumes that no one is able to forge a cookie on its own. This requires that the cookie value is encrypted or at least signed.
Guys, I am trying to make a website that keeps a cookie active, so long as the user is active in the site. My idea was to create a cookie on the main page of the site, like so:
HttpCookie cookie = new HttpCookie("KeepAlive","1");
cookie.Expires = DateTime.Now.AddMinutes(20);
Request.Cookies.Add(cookie);
If I have this code in my Page_Load event on every page, this should keep refreshing the cookie. If, after 20 minutes, the cookie expires, it will kick them back to the main screen. I just want to make sure I am going about this the right way.
Thanks
I think you should look at using session for that. With Session, you can set a timeout (20 minutes by default), and the rest will occur automatically (updating the active status, etc).
EDIT (more on Session):
By using session, the site user can be identified throughout their experience. This happens automatically, without any need for the developer to code for it or to test that it works.
Session is stored on the server, and is therefore safer (users can modify their cookies)
You can run code at the start, or at the end of any session (using a global.asax file)
Sessions can be setup as cookieless (users may have cookies disabled)
You can store c# objects in session variables so that they are available through the active session (stored in server memory).
I can't think of any more advantages in this case. I invite others to leave comments with their thoughts.
If you really want to use cookies for this, Yes, You are going the right way.
You need to add the cookie to the Response object, not the Request object.
basically, if cookeis are disabled on the client, im wondering if this...
dim newCookie = New HttpCookie("cookieName", "cookieValue")
newCookie.Expires = DateTime.Now.AddDays(1)
response.cookies.add(newCookie)
notice i set a date, so it should be stored on disk, if cookies are disabled does asp.net automatically store this cookie as a session cookie (which is a cookie that lasts in browser memory until the user closes the browser, if i am not mistaken).... OR does asp.net not add the cookie at all (anywhere) in which case i would have to re-add the cookie to the collection without the date (which stores as a session cookie)... of course, this would require me doing the addition of a cookie twice... perhaps the second time unnecessarily if it is being stored in browsers memory anyway... im just trying not to store it twice as it's just bad code!! any ideas if i need to write another line or not? (which would be)...
response.cookies.add(New HttpCookie("cookieName", "cookieValue") ' session cookie in client browser memory
thanks guys
This MSDN article seems to indicate that there is no built in mechanism for compensating with the user disabling cookies. It also indicates that session state does not work without at least some level of cookies being enabled.
I thought that there was a mechanism for passing a query variable for the session id but skimming the article (quickly) I did not see this.
Hope that helps.
EDIT: It does say that you can use cookieless sessions (I thought you could). They use a separate mechanism to embed session ID in the pages and url links.
To follow up on GrayWizardx's reply, much of what was said is completely accurate.
If you are using a Cookie'd version of Session, and cookies are disabled then you are out of luck. But you have the option to have a cookieless version of the Session, which adds a string to the URL that shows the users session id. This is very ugly looking, and has always concerned me from a security perspective.
So you have three options (that I can think of off the top of my head):
1. Require cookies. This is not a bad thing, especially if your site is one that would have requiring cookies as normal.
2. Use ViewState.
3. Pass information from page to page within the URL. This, again worries me from a security perspective.