About cookies
A cookie is a small bit of text that accompanies requests and pages as they go between the Web server and browser. The cookie contains information the Web application can read whenever the user visits the site.

If you're a Windows user, examine the Cookies directory in your user directory, which is within the Documents And Settings directory. This directory contains text files with this filename format:

username @ Web site domain that created the cookie

Cookie interaction in ASP.NET

The .NET System.Web namespace has three classes that you can use to work with client-side cookies:

* HttpCookie: provides a type-safe way to create and manipulate individual HTTP cookies.
* HttpResponse: The Cookies property allows client cookies to be manipulated.
* HttpRequest: The Cookies property allows access to cookies that the client maintains.

The Cookies property of both the HttpResponse and HttpRequest objects returns an HttpCookieCollection object. It has methods to add and retrieve individual cookies to and from the collection.

HttpCookie class

The HttpCookie class allows individual cookies to be created for client storage. Once the HttpCookie object is created and populated, you can add it to the Cookies property of the HttpResponse object. Likewise, you can access existing cookies via the HttpRequest object. The HttpCookie class contains the following public properties:

* Domain: Gets or sets the domain associated with the cookie. This may be used to limit cookie access to the specified domain.
* Expires: Gets or sets the expiration date and time for the cookie. You may set this to a past date to automatically expire or delete the cookie.
* Names: Gets or sets the cookie name.
* Path: Gets or sets the cookie's virtual path. This allows you to limit the cookie's scope; that is, access to the cookie may be limited to a specific folder or directory. Setting this property limits its access to the specified directory and all directories beneath it.
* Secure: Signals whether the cookie value is transmitted using Secure Sockets Layer (SSL).
* Value: Gets or sets an individual cookie value.
* Values: Retrieves a collection of key/value pairs contained within the cookie.

While this isn't an exhaustive list, it provides everything you need to work with cookies. A example will give you a better idea of how it works:

HttpCookie testCookie = New HttpCookie("LastVisited")
testCookie.Value = DateTime.Now.ToString
testCookie.Expires = DateTime.Now.AddDays(7)
Response.Cookies.Add(testCookie)

This code creates a new cookie with the name LastVisited and populates the value with today's date and time. Also, the cookie expiration is set to one week, and the associated domain is populated. Once the object is created, it's added to the client's cookies collection via the Response.Cookies object's Add method. The HttpCookie constructor method has two variations:

* HttpCookie objectName = New HttpCookie("cookieName")
* HttpCookie objectName = New HttpCookie("cookieName", "cookieValue")

Also, the Response object contains a SetCookie method that accepts an HttpCookie object.

Once cookies are stored on the client, there are various ways that you can access them. If you know the cookie name, you can easily access its value(s) with the HttpResponse object.



Changing a Cookie's Expiration Date

The browser is responsible for managing cookies, and the cookie's expiration time and date help the browser manage its store of cookies. Therefore, although you can read the name and value of a cookie, you cannot read the cookie's expiration date and time. When the browser sends cookie information to the server, the browser does not include the expiration information. (The cookie's Expires property always returns a date-time value of zero.) If you are concerned about the expiration date of a cookie, you must reset it, which is covered in the "Modifying and Deleting Cookies" section.

Reading Cookie Collections

You might occasionally need to read through all the cookies available to the page. To read the names and values of all the cookies available to the page,

Example

System.Text.StringBuilder output = new System.Text.StringBuilder();
HttpCookie aCookie;
for(int i=0; i<Request.Cookies.Count; i++)
{
aCookie = Request.Cookies[i];
output.Append("Cookie name = " + Server.HtmlEncode(aCookie.Name)
+ "<br />");
output.Append("Cookie value = " + Server.HtmlEncode(aCookie.Value)
+ "<br /><br />");
}
Label1.Text = output.ToString();

Modifying and Deleting Cookies

You cannot directly modify a cookie. Instead, changing a cookie consists of creating a new cookie with new values and then sending the cookie to the browser to overwrite the old version on the client.

Deleting Cookies

Deleting a cookie—physically removing it from the user's hard disk—is a variation on modifying it. You cannot directly remove a cookie because the cookie is on the user's computer. However, you can have the browser delete the cookie for you. The technique is to create a new cookie with the same name as the cookie to be deleted, but to set the cookie's expiration to a date earlier than today. When the browser checks the cookie's expiration, the browser will discard the now-outdated cookie.

Cookies and Security

The security issues with cookies are similar to those of getting data from the client. In your application, cookies are another form of user input and are therefore subject to examining and spoofing. A user can as a minimum see the data that you store in a cookie, since the cookie is available on the user's own computer. The user can also change the cookie before the browser sends it to you.

You should never store sensitive data in a cookie, such as user names, passwords, credit card numbers, and so on. Do not put anything in a cookie that should not be in the hands of a user or of someone who might somehow steal the cookie.

Similarly, be suspicious of information you get out of a cookie. Do not assume that the data is the same as when you wrote it out; use the same safeguards in working with cookie values that you would with data that a user has typed into a Web page. The examples earlier in this topic showed HTML-encoding the contents of a cookie before displaying the value in a page, as you would before displaying any information you get from users.

Cookies are sent between browser and server as plain text, and anyone who can intercept your Web traffic can read the cookie. You can set a cookie property that causes the cookie to be transmitted only if the connection uses the Secure Sockets Layer (SSL). SSL does not protect the cookie from being read or manipulated while it is on the user's computer, but it does prevent the cookie from being read while in transit because the cookie is encrypted.

The cookie files are stored on the client machine, so your users can delete or edit them at any time. In addition, some users may disable cookies. For this reason, never rely on that data. You should store critical information on the server--preferably in a database. Also, you should use cookies only for minor information that may customize the user experience.

Storing critical information in a cookie is considered poor programming because it can be viewed easily, a better approach is to avoid cookies with sensitive information.

Thx
Kirthika

Some more information about cookies

Cookie Scope

By default, all cookies for a site are stored together on the client, and all cookies are sent to the server with any request to that site. In other words, every page in a site gets all of the cookies for that site. However, you can set the scope of cookies in two ways:

Limit the scope of cookies to a folder on the server, which allows you to limit cookies to an application on the site.

Set scope to a domain, which allows you to specify which subdomains in a domain can access a cookie.

Limiting Cookies to a Folder or Application

To limit cookies to a folder on the server, set the cookie's Path property, as in the following example:

HttpCookie appCookie = new HttpCookie("AppCookie");
appCookie.Value = "written " + DateTime.Now.ToString();
appCookie.Expires = DateTime.Now.AddDays(1);
appCookie.Path = "/Application1";
Response.Cookies.Add(appCookie);


The path can either be a physical path under the site root or a virtual root. The effect will be that the cookie is available only to pages in the Application1 folder or virtual root. For example, if your site is called www.mysite.com, the cookie created in the previous example will be available to pages with the path http://www.mysite.com/Application1/ and to any pages beneath that folder. However, the cookie will not be available to pages in other applications such as http://www.mysite.com/Application2/ or just http://www.mysite.com/.

Note
In some browsers, the path is case sensitive. You cannot control how users type URLs into their browsers, but if your application depends on cookies tied to a specific path, be sure that the URLs in any hyperlinks you create match the case of the Path property value.


Limiting Cookie Domain Scope

By default, cookies are associated with a specific domain. For example, if your site is www.mysite.com, the cookies you write are sent to the server when users request any page from that site. (This might not include cookies with a specific path value.) If your site has subdomains—for example, mysite.com, sales.mysite.com, and support.mysite.com—then you can associate cookies with a specific subdomain. To do so, set the cookie's Domain property, as in this example:


Response.Cookies["domain"].Value = DateTime.Now.ToString();
Response.Cookies["domain"].Expires = DateTime.Now.AddDays(1);
Response.Cookies["domain"].Domain = "support.mysite.com";


When the domain is set in this way, the cookie will be available only to pages in the specified subdomain. You can also use the Domain property to create a cookie that can be shared among multiple subdomains, as shown in the following example:

Response.Cookies["domain"].Value = DateTime.Now.ToString();
Response.Cookies["domain"].Expires = DateTime.Now.AddDays(1);
Response.Cookies["domain"].Domain = "mysite.com";


The cookie will then be available to the primary domain as well as to sales.mysite.com and support.mysite.com domains.

__________________
H2O

Without us, no one can survive..

hi,

some of the Cookies and Security levels in Cookies

The security issues with cookies are similar to those of getting data from the client. In your application, cookies are another form of user input and are therefore subject to examining and spoofing. A user can as a minimum see the data that you store in a cookie, since the cookie is available on the user's own computer. The user can also change the cookie before the browser sends it to you.

You should never store sensitive data in a cookie, such as user names, passwords, credit card numbers, and so on. Do not put anything in a cookie that should not be in the hands of a user or of someone who might somehow steal the cookie.

Similarly, be suspicious of information you get out of a cookie. Do not assume that the data is the same as when you wrote it out; use the same safeguards in working with cookie values that you would with data that a user has typed into a Web page. The examples earlier in this topic showed HTML-encoding the contents of a cookie before displaying the value in a page, as you would before displaying any information you get from users.

Cookies are sent between browser and server as plain text, and anyone who can intercept your Web traffic can read the cookie. You can set a cookie property that causes the cookie to be transmitted only if the connection uses the Secure Sockets Layer (SSL). SSL does not protect the cookie from being read or manipulated while it is on the user's computer, but it does prevent the cookie from being read while in transit because the cookie is encrypted.

__________________
Venkat
knowledge is Power

Persistent and Non-Persistent Cookies

Persistent cookies are stored on your computer hard disk. They stay on your hard disk and can be accessed by web servers until they are deleted or have expired. Persistent cookies are not affected by your browser setting that deletes temporary files when you close your browser.

Non-persistent cookies are saved only while your web browser is running. They can be used by a web server only until you close your browser. They are not saved on your disk. Microsoft Internet Explorer 5.5 can be configured to accept non-persistent cookies but reject persistent cookies.

Thanks
Kiruthika

Browser Setup Notes and Tricks

Each browser and each version of a browser have different configurations options and behaviors relating to cookies and security.

Microsoft Internet Explorer 5.5 for Windows

* Can be set to accept non-persistent cookies and reject persistent cookies. Do it!
* IE stores cookies in a text file but with only newlines as separators. You can read the file with WordPad and edit the file with NotePad:
"\Documents and Settings\username\Cookies\username@domain[1].txt".
* If the cookie files or the cookie index, "Cookie/index.dat", are set Read-Only, IE just recreates them in Temp.
* IE could be configured to put all temporary Internet files on a RAM disk. This would make persistent and non-persistent cookies equivalent, that is they would vanish when the computer is restarted.

Netscape Communicator 4.7 for Windows

* Cannot be configured to accept only non-persistent cookies, but if the cookies.txt file is made Read-Only, all cookies act as non-persistent because the cookie file cannot be written!
* Can be configured to "Accept only cookies that get sent back to the originating server". This is a good idea.
* NS stores cookies in a text file. You can read and edit the file with Notepad: "\Program Files\Netscape\Users\default\cookies.txt".

Thanks
Kiruthika

Cookie Pal Overview

Cookie Pal is a complete Internet cookie management system for Windows 95, 98, ME, NT 4.0, 2000 and XP. Cookie Pal works with your web browser to give you complete control over the cookies which are accepted by and stored on your system.

Supported Browsers

Cookie Pal is pre-configured to work with the following web browsers and software:

* Microsoft Internet Explorer 3.x, 4.x
* , 5.x and 6.x Netscape Navigator 3.x and 4.x
* Opera 4.x
* , 5.x and 6.x Neoplanet
* America Online 3.0, 4.0, 5.0
* , 6.0 and 7.0 for Windows 95/98/ME CompuServe WinCIM 3.0.1 and 4.0 and 2000
* Microsoft Outlook and Outlook Express.
* Eudora E-mail
* Windows Media Player and RealPlayer
Thanks
Kiruthika

our browser can alert you before accepting cookies.

Netscape Navigator 3.0 +
1. Go to the 'Options' Menu
2. Select the 'Network Preferences' Menu Item
3. In the window that appears select the 'Protocols' tab
4. Locate the Section'Show an Alert Before'
5. Select 'Before accepting a Cookie'

Internet Explorer

1. Go to the 'View' Menu
2. Select the 'Options' Menu Item
3. Click the 'Advanced' tag
4. Select 'Warn before accepting a cookie'

From this point on you will get an Alert Box whenever a server is trying to send a cookie to your browser. You will be shown the cookie data, and perhaps its life span before your browser deletes it. Some sites get carried away and send multiple cookies - so be prepared for lots of clicking.

The cookies.txt files can be found in the Windows 'Cookies' folder, or in the Macintosh MagicCookie folder. If your browser does not use these folders, look for cookie files in the Browser Program folders (ie Windows Netscape).

Internet Explorer saves each cookie as an easily selected separate file, whereas Netscape includes them all in one.

Thanks
Kiruthika

Modifying or Deleting Subkeys

Modifying an individual subkey is the same as creating it, as shown in the following example:C#

Response.Cookies["userInfo"]["lastVisit"] = DateTime.Now.ToString();
Response.Cookies["userInfo"].Expires = DateTime.Now.AddDays(1);

To delete an individual subkey, you manipulate the cookie's Values collection, which holds the subkeys. You first recreate the cookie by getting it from the Cookies object. You can then call the Remove method of the Values collection, passing to the Remove method the name of the subkey to delete. You then add the cookie to the Cookies collection so it will be sent in its modified form back to the browser. The following code example shows how to delete a subkey. In the sample, the name of the subkey to remove is specified in a variable.

string subkeyName;
subkeyName = "userName";
HttpCookie aCookie = Request.Cookies["userInfo"];
aCookie.Values.Remove(subkeyName);
aCookie.Expires = DateTime.Now.AddDays(1);
Response.Cookies.Add(aCookie);


Cookies and Security

The security issues with cookies are similar to those of getting data from the client. In your application, cookies are another form of user input and are therefore subject to examining and spoofing. A user can as a minimum see the data that you store in a cookie, since the cookie is available on the user's own computer. The user can also change the cookie before the browser sends it to you.

You should never store sensitive data in a cookie, such as user names, passwords, credit card numbers, and so on. Do not put anything in a cookie that should not be in the hands of a user or of someone who might somehow steal the cookie.

Similarly, be suspicious of information you get out of a cookie. Do not assume that the data is the same as when you wrote it out; use the same safeguards in working with cookie values that you would with data that a user has typed into a Web page. The examples earlier in this topic showed HTML-encoding the contents of a cookie before displaying the value in a page, as you would before displaying any information you get from users.

Cookies are sent between browser and server as plain text, and anyone who can intercept your Web traffic can read the cookie. You can set a cookie property that causes the cookie to be transmitted only if the connection uses the Secure Sockets Layer (SSL). SSL does not protect the cookie from being read or manipulated while it is on the user's computer, but it does prevent the cookie from being read while in transit because the cookie is encrypted. For more information, see Basic Security Practices for Web Applications.

Determining Whether a Browser Accepts Cookies
Users can set their browser to refuse cookies. No error is raised if a cookie cannot be written. The browser likewise does not send any information to the server about its current cookie settings.

protected void Page_Load(object sender, EventArgs e)
{
if (!Page.IsPostBack)
{
if (Request.QueryString["AcceptsCookies"] == null)
{
Response.Cookies["TestCookie"].Value = "ok";
Response.Cookies["TestCookie"].Expires =
DateTime.Now.AddMinutes(1);
Response.Redirect("TestForCookies.aspx?redirect=" +
Server.UrlEncode(Request.Url.ToString()));
}
else
{
Label1.Text = "Accept cookies = " +
Server.UrlEncode(
Request.QueryString["AcceptsCookies"]);
}
}
}

A cookie is a small bit of text that accompanies requests and pages as they go between the Web server and browser. The cookie contains information the Web application can read whenever the user visits the site.

__________________
Web Templetes
Web site Design