Sessions

会话

Sessionsare stored per-user in memory(or an alternative Session-State) on the server. Sessions use a cookie(session key) to tie the user to the session. This means no "sensitive" data is stored in the cookie on the users machine.

会话按用户存储在服务器上的内存（或替代Session-State）中。会话使用 cookie（会话密钥）将用户绑定到会话。这意味着用户计算机上的 cookie 中不会存储“敏感”数据。

Sessionsare generally used to maintain state when you navigate through a website. However, they can also be used to hold commonly accessed objects. Only if the Session-state is set to InProc, if set to another Session-State modethe object must also serializable.

会话通常用于在您浏览网站时维护状态。但是，它们也可用于保存经常访问的对象。仅当 Session-state 设置为 InProc 时，如果设置为另一种Session-State 模式，该对象也必须可序列化。

Session["userName"] = "EvilBoy";

if(Session["userName"] != null)
  lblUserName.Text = Session["userName"].ToString();

Cookies

饼干

Cookiesare stored per-user on the users machine. A cookie is usually just a bit of information. Cookies are usually used for simple user settings colours preferences ect. No sensitive information should ever be stored in a cookie.

Cookie是按用户存储在用户机器上的。cookie 通常只是一些信息。Cookies 通常用于简单的用户设置、颜色偏好等。任何敏感信息都不应存储在 cookie 中。

You can never fully trust that a cookie has not been tampered with by a user or outside source however if security is a big concern and you must use cookies then you can either encrypt your cookies or set them to only be transmitted over SSL. A user can clear his cookies at any time or not allow cookies altogether so you cannot count on them being there just because a user has visited your site in the past.

您永远无法完全相信 cookie 没有被用户或外部来源篡改，但是如果安全是一个大问题并且您必须使用 cookie，那么您可以加密您的 cookie 或将它们设置为仅通过 SSL 传输。用户可以随时清除他的 cookie 或完全不允许 cookie，因此您不能仅仅因为用户过去访问过您的网站就指望它们存在。

//add a username Cookie
Response.Cookies["userName"].Value = "EvilBoy";
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(10);
//Can Limit a cookie to a certain Domain
Response.Cookies["userName"].Domain = "Stackoverflow.com";

//request a username cookie
if(Request.Cookies["userName"] != null)
   lblUserName.Text = Server.HtmlEncode(Request.Cookies["userName"].Value);

sidenote

边注

It is worth mentioning that ASP.NET also supports cookielessstate-management

值得一提的是，ASP.NET 还支持cookieless状态管理

A cookie is an identifaction string stored by a server (who has a domain) in the browser of the user who visits the server/domain.

cookie 是服务器（拥有域）在访问服务器/域的用户的浏览器中存储的标识字符串。

A session is a unit of maybe variables, state, settings while a certain user is accessing a server/domain in a specific time frame. All the session information is in the traditional model stored on the server (!)

当某个用户在特定时间范围内访问服务器/域时，会话可能是变量、状态、设置的单元。所有会话信息都以传统模型存储在服务器上（！）

Because many concurrent users can visit a server/domain at the same time the server needs to be able to distinguish many different concurrent sessions and always assign the right session to the right user. (And no user may "steal" another uses's session)

由于许多并发用户可以同时访问服务器/域，因此服务器需要能够区分许多不同的并发会话，并始终将正确的会话分配给正确的用户。（并且没有用户可以“窃取”其他用户的会话）

This is done through the cookie. The cookie which is stored in the browser and which should in this case be a random combination like s73jsd74df4fdf (so it cannot be guessed) is sent on each request from the browser to the server, and the server can assign and use the correct session for its answers (page views)

这是通过 cookie 完成的。存储在浏览器中的 cookie 在这种情况下应该是像 s73jsd74df4fdf 这样的随机组合（因此无法猜测）在从浏览器到服务器的每个请求中发送，服务器可以分配和使用正确的会话它的答案（页面浏览量）

The cookie allows the server to recognize the browser/user. The session allows the server to remember information between different page views.

cookie 允许服务器识别浏览器/用户。会话允许服务器记住不同页面视图之间的信息。

Cookieis a client side storage of your variables. It stored on client machine by browser physically. It's scope is machine wide. Different users at same machine can read same cookie.

Cookie是您的变量的客户端存储。它通过浏览器物理存储在客户端机器上。它的范围是机器范围的。同一台机器上的不同用户可以读取相同的cookie。

Because of this :

因为这 ：

1. You should not store sensitive data on cookie.
2. You should not store data that belongs to one user account.
3. Cookie has no effect on server resources.
4. Cookie expires at specified date by you.

1. 您不应在 cookie 上存储敏感数据。
2. 您不应存储属于一个用户帐户的数据。
3. Cookie 对服务器资源没有影响。
4. Cookie 在您指定的日期到期。

Sessionis a server side storage of your variables. Default, it stored on server's memory. But you can configure it to store at SqlServer. It's scope is browser wide. Same user can run two or more browsers and each browser has it's own session.

会话是您的变量的服务器端存储。默认情况下，它存储在服务器的内存中。但是您可以将其配置为存储在 SqlServer 中。它的范围是浏览器范围的。同一个用户可以运行两个或多个浏览器，每个浏览器都有自己的会话。

Because of this :

因为这 ：

1. You can save sensitive data in session.
2. You should not save everything in session. it's waste of server resources.
3. After user closes browser, session timeout clears all information. (default is 20 minutes)

1. 您可以在会话中保存敏感数据。
2. 您不应该在会话中保存所有内容。浪费服务器资源。
3. 用户关闭浏览器后，会话超时清除所有信息。（默认为 20 分钟）

Its possible to have both: a database primary key is hashed and stored in a lookup table: then the hash is stored on the client as a cookie. Once the hash cookie (hahhahaha :) is submitted, its corresponding primary key is looked up, and the rest of the details are associated with it in another table on the server database.

它可能同时拥有：数据库主键被散列并存储在查找表中：然后散列作为 cookie 存储在客户端上。一旦hash cookie(hahhahaha :)被提交，它对应的主键被查找，其余的细节在服务器数据库上的另一个表中与它相关联。

• The main difference between cookies and sessions is that cookies are stored in the user's browser, and sessions are not. This difference determines what each is best used for.

• A cookie can keep information in the user's browser until deleted. If a person has a login and password, this can be set as a cookie in their browser so they do not have to re-login to your website every time they visit. You can store almost anything in a browser cookie.

• cookie 和会话之间的主要区别在于 cookie 存储在用户的浏览器中，而会话则不是。这种差异决定了每种方法的最佳用途。

• cookie 可以将信息保留在用户的浏览器中，直到被删除。如果某人有登录名和密码，则可以将其设置为浏览器中的 cookie，这样他们就不必每次访问您的网站时都重新登录。您几乎可以在浏览器 cookie 中存储任何内容。

Sessions are not reliant on the user allowing a cookie. They work instead like a token allowing access and passing information while the user has their browser open. The problem with sessions is that when you close your browser you also lose the session. So, if you had a site requiring a login, this couldn't be saved as a session like it could as a cookie, and the user would be forced to re-login every time they visit.

会话不依赖于允许 cookie 的用户。相反，它们像令牌一样工作，允许在用户打开浏览器时访问和传递信息。会话的问题在于，当您关闭浏览器时，会话也会丢失。因此，如果您有一个需要登录的站点，则无法像将其保存为 cookie 那样将其保存为会话，并且用户每次访问时都将被迫重新登录。

Session is a server side object, which transfer or access data between page call.
Cookies is a object which is client side/client machine which store some text information of browser and server.

Session 是一个服务器端对象，它在页面调用之间传输或访问数据。
Cookies 是客户端/客户端机器的对象，它存储浏览器和服务器的一些文本信息。

There appears to be some confusion regarding what a session cookie is.

关于会话 cookie 是什么似乎有些混淆。

Firstly, when we are talking session cookies - it has nothing to do with ASP.Net sessions. Likewise, session cookies have nothing to do with server side processes or caching.

首先，当我们谈论会话 cookie 时 - 它与 ASP.Net 会话无关。同样，会话 cookie 与服务器端进程或缓存无关。

A session cookie is nothing more than a cookie that expires when the browser session expires. To create a session cookie - don't put an expiration date on it. Doing this stores the cookie in memory and is disposed of when the browser is disposed.

会话 cookie 只不过是在浏览器会话过期时过期的 cookie。要创建会话 cookie - 不要在其上设置到期日期。这样做会将 cookie 存储在内存中，并在处理浏览器时处理。