Chapter 8: Cookies and Session State

Overview

WEB APPLICATIONS ARE BY nature stateless because they communicate with users using HTTP, which is a stateless protocol. However, all but the most simplistic applications need to maintain some kind of state as users make requests . ATL Server provides two features for managing this information: session state and cookies.

Why do you need session state? Session state is the facility that enables you to store information about your users. A good example of session state is a customer s shopping cart and purchase information. Session state information is stored on the server (e.g., in a database); thus, the information isn t transmitted over the Web, making it perfect for sensitive information such as credit card numbers .

What about cookies? Well, cookies enable an application to maintain state by maintaining data on the user machine. Cookies send the data to the server on each request (as part of the header). This makes cookies unsuitable for sensitive information because all of the data that you ve stored on your user s machine is sent with every request the user makes, no matter where the user makes those requests. So, any information that you store in a cookie should be as opaque as possible, as it s likely that it will be sent to other Web servers.

As you build more complex Web applications, you ll begin to appreciate the ability to store information between requests. In this chapter you ll start by looking at how you can add session state support to your ATL Server application.