About cookies
A cookie is a small bit of text that accompanies requests and pages as they go between the Web server and browser. The cookie contains information the Web application can read whenever the user visits the site.

If you're a Windows user, examine the Cookies directory in your user directory, which is within the Documents And Settings directory. This directory contains text files with this filename format:

username @ Web site domain that created the cookie

Cookie interaction in ASP.NET

The .NET System.Web namespace has three classes that you can use to work with client-side cookies:

* HttpCookie: provides a type-safe way to create and manipulate individual HTTP cookies.
* HttpResponse: The Cookies property allows client cookies to be manipulated.
* HttpRequest: The Cookies property allows access to cookies that the client maintains.

The Cookies property of both the HttpResponse and HttpRequest objects returns an HttpCookieCollection object. It has methods to add and retrieve individual cookies to and from the collection.

HttpCookie class

The HttpCookie class allows individual cookies to be created for client storage. Once the HttpCookie object is created and populated, you can add it to the Cookies property of the HttpResponse object. Likewise, you can access existing cookies via the HttpRequest object. The HttpCookie class contains the following public properties:

* Domain: Gets or sets the domain associated with the cookie. This may be used to limit cookie access to the specified domain.
* Expires: Gets or sets the expiration date and time for the cookie. You may set this to a past date to automatically expire or delete the cookie.
* Names: Gets or sets the cookie name.
* Path: Gets or sets the cookie's virtual path. This allows you to limit the cookie's scope; that is, access to the cookie may be limited to a specific folder or directory. Setting this property limits its access to the specified directory and all directories beneath it.
* Secure: Signals whether the cookie value is transmitted using Secure Sockets Layer (SSL).
* Value: Gets or sets an individual cookie value.
* Values: Retrieves a collection of key/value pairs contained within the cookie.

While this isn't an exhaustive list, it provides everything you need to work with cookies. A example will give you a better idea of how it works:

HttpCookie testCookie = New HttpCookie("LastVisited")
testCookie.Value = DateTime.Now.ToString
testCookie.Expires = DateTime.Now.AddDays(7)
Response.Cookies.Add(testCookie)

This code creates a new cookie with the name LastVisited and populates the value with today's date and time. Also, the cookie expiration is set to one week, and the associated domain is populated. Once the object is created, it's added to the client's cookies collection via the Response.Cookies object's Add method. The HttpCookie constructor method has two variations:

* HttpCookie objectName = New HttpCookie("cookieName")
* HttpCookie objectName = New HttpCookie("cookieName", "cookieValue")

Also, the Response object contains a SetCookie method that accepts an HttpCookie object.

Once cookies are stored on the client, there are various ways that you can access them. If you know the cookie name, you can easily access its value(s) with the HttpResponse object.



Changing a Cookie's Expiration Date

The browser is responsible for managing cookies, and the cookie's expiration time and date help the browser manage its store of cookies. Therefore, although you can read the name and value of a cookie, you cannot read the cookie's expiration date and time. When the browser sends cookie information to the server, the browser does not include the expiration information. (The cookie's Expires property always returns a date-time value of zero.) If you are concerned about the expiration date of a cookie, you must reset it, which is covered in the "Modifying and Deleting Cookies" section.

Reading Cookie Collections

You might occasionally need to read through all the cookies available to the page. To read the names and values of all the cookies available to the page,

Example

System.Text.StringBuilder output = new System.Text.StringBuilder();
HttpCookie aCookie;
for(int i=0; i<Request.Cookies.Count; i++)
{
aCookie = Request.Cookies[i];
output.Append("Cookie name = " + Server.HtmlEncode(aCookie.Name)
+ "<br />");
output.Append("Cookie value = " + Server.HtmlEncode(aCookie.Value)
+ "<br /><br />");
}
Label1.Text = output.ToString();

Modifying and Deleting Cookies

You cannot directly modify a cookie. Instead, changing a cookie consists of creating a new cookie with new values and then sending the cookie to the browser to overwrite the old version on the client.

Deleting Cookies

Deleting a cookie—physically removing it from the user's hard disk—is a variation on modifying it. You cannot directly remove a cookie because the cookie is on the user's computer. However, you can have the browser delete the cookie for you. The technique is to create a new cookie with the same name as the cookie to be deleted, but to set the cookie's expiration to a date earlier than today. When the browser checks the cookie's expiration, the browser will discard the now-outdated cookie.

Cookies and Security

The security issues with cookies are similar to those of getting data from the client. In your application, cookies are another form of user input and are therefore subject to examining and spoofing. A user can as a minimum see the data that you store in a cookie, since the cookie is available on the user's own computer. The user can also change the cookie before the browser sends it to you.

You should never store sensitive data in a cookie, such as user names, passwords, credit card numbers, and so on. Do not put anything in a cookie that should not be in the hands of a user or of someone who might somehow steal the cookie.

Similarly, be suspicious of information you get out of a cookie. Do not assume that the data is the same as when you wrote it out; use the same safeguards in working with cookie values that you would with data that a user has typed into a Web page. The examples earlier in this topic showed HTML-encoding the contents of a cookie before displaying the value in a page, as you would before displaying any information you get from users.

Cookies are sent between browser and server as plain text, and anyone who can intercept your Web traffic can read the cookie. You can set a cookie property that causes the cookie to be transmitted only if the connection uses the Secure Sockets Layer (SSL). SSL does not protect the cookie from being read or manipulated while it is on the user's computer, but it does prevent the cookie from being read while in transit because the cookie is encrypted.

The cookie files are stored on the client machine, so your users can delete or edit them at any time. In addition, some users may disable cookies. For this reason, never rely on that data. You should store critical information on the server--preferably in a database. Also, you should use cookies only for minor information that may customize the user experience.

Storing critical information in a cookie is considered poor programming because it can be viewed easily, a better approach is to avoid cookies with sensitive information.

Thx
Kirthika