ASP.NET Cookies

A cookie is a small bit of text that accompanies requests and pages as they go between the Web server and browser. The cookie contains information the Web application can read whenever the user visits the site.

A Visual Studio project with source code is available to accompany this topic: Download.

Scenarios
Cookies provide a means in Web applications to store user-specific information. For example, when a user visits your site, you can use cookies to store user preferences or other information. When the user visits your Web site another time, the application can retrieve the information it stored earlier.

Cookie Limitations
Most browsers support cookies of up to 4096 bytes. Because of this small limit, cookies are best used to store small amounts of data, or better yet, an identifier such as a user ID. The user ID can then be used to identify the user and read user information from a database or other data store. (See the section "Cookies and Security" below for information about security implications of storing user information.)

How to: Write a Cookie
Cookies provide a means in Web applications to store user-specific information, such as history or user preferences. A cookie is a small bit of text that accompanies requests and responses as they go between the Web server and client. The cookie contains information that the Web application can read whenever the user visits the site.

The browser manages the cookies on client computers. Cookies are sent to the client using the HttpResponse object, which exposes a property called Cookies. Any cookies that you want your Web application to send to the browser must be added to this collection. When you write a new cookie, you must specify the Name and Value. Each cookie must have a unique name so that your Web application can identify it when the browser sends it with future requests.

There are two ways to write a cookie to a user's computer. You can either directly set cookie properties on the Cookiescollection or you can create an instance of the HttpCookie object and add it to the Cookies collection. You must create cookies before the ASP.NET page is rendered to the client. For example, you can write a cookie in a Page_Load event handler but not in a Page_Unload event handler. 

To write a cookie by setting cookie properties on the Cookies collection
In the ASP.NET page you want to write a cookie, assign properties to a cookie in the Cookies collection.


The following code example shows a cookie named UserSettings with the values of the subkeys Font and Color set. It also sets the expiration time to be tomorrow.

Response.Cookies["UserSettings"]["Font"] = "Arial";
Response.Cookies["UserSettings"]["Color"] = "Blue";
Response.Cookies["UserSettings"].Expires = DateTime.Now.AddDays(1d);

To write a cookie by creating an instance of the HttpCookie object

• Create an object of type HttpCookie and assign it a name.
• Assign values to cookie's subkeys and set any cookie properties.
• Add the cookie to the Cookies collection.

The following code example shows an instance of the HttpCookie object named myCookie, which represents a cookie named UserSettings.

HttpCookie myCookie = new HttpCookie("UserSettings");

myCookie["Font"] = "Arial";

myCookie["Color"] = "Blue";

myCookie.Expires = DateTime.Now.AddDays(1d);

Response.Cookies.Add(myCookie);

How to: Read a Cookie
Cookies provide a means in Web applications to store user-specific information, such as
history or user preferences. A cookie is a small bit of text that accompanies requests and
responses as they go between the Web server and client. The cookie contains information
that the Web application can read whenever the user visits the site.

The browser is responsible for managing cookies on a user system. Cookies are sent to the
server with a page request and are accessible as part of the HttpRequest object, which
exposes a Cookies collection. You can read only cookies that have been created by pages
in the current domain or path.Procedure

To read a cookie
Read a string from the Cookies collection using the cookie's name as the key.
The following example reads a cookie named UserSettings and then reads the value of the
subkey named Font.

if (Request.Cookies["UserSettings"] != null)
{
    string userSettings;
    if (Request.Cookies["UserSettings"]["Font"] != null)
    { userSettings = Request.Cookies["UserSettings"]["Font"]; }
}

How to: Delete a Cookie
You cannot directly delete a cookie on a user's computer. However, you can direct the
user's browser to delete the cookie by setting the cookie's expiration date to a past date.
The next time a user makes a request to a page within the domain or path that set the
cookie, the browser will determine that the cookie has expired and remove it.

To assign a past expiration date on a cookie

• Determine whether the cookie exists, and if so, create a new cookie with the same name.
• Set the cookie's expiration date to a time in the past.
• Add the cookie to the Cookies collection object.

The following code example shows how to set a past expiration date on a cookie.

if (Request.Cookies["UserSettings"] != null)
{
    HttpCookie myCookie = new HttpCookie("UserSettings");
    myCookie.Expires = DateTime.Now.AddDays(-1d);
    Response.Cookies.Add(myCookie);
}