Session VS Cookies

Session vs Cookies, What do you think about that? At first I will describe why do we need session and cookies? What are the similarities between session and cookies? and after that we will learn about differences between session and cookies. Here, I will focus on ASP.Net session state.

First we need to understand HTTP.

It is an uni-directional (one way) internet communication protocol over TCP connection. HTTP connection closes when client (browser) receive the response once from server.
-> Client send request to server by HTTP over TCP.
-> HTTP connection open.
-> Server receive the request from client.
-> Server send the response to client.
-> HTTP connection then close.
-> HTTP using REST based communication.


What does the mean of Session?

Session is the time between opening and closing of the connection between server and client. Actually I am talking about “session state” on server. Mainly session uses to store the login information.

As you know HTTP connection is stateless. So, we need to maintain state on server-side. Session state is one of the solution for that. Server holds the session state temporarily. Session is a data structure to store the states. It has a key-value structure. Web server stores the session on server memory (by-default) or files. Each client has own session (with unique session id) on server. This unique session id is created and manage by server. So, server identify the client by it’s session id. Session is available on all pages for only it’s client. So, sessions are not shareable between clients.

Does server create the session id every time when user send request?

No, ASP.NET_SessionId is created only when browser send request to server first time. This generated Session Id stored for specific time.

What does the mean of Session timeout?

We can set “session timeout” value by web.config or programmatically. If user does not refresh the page or doesn’t send request during the given time period than session close/expire automatically. Session can expire by following actions on ASP.Net:

  • When no client-server activity occur within specific time period (defined by server).
  • By uploading the web.config file on server.
  • When upload the files in bin folder or App_Code folder.
  • By stoping/restarting the website from IIS.
  • When stop/restart the Application pool.
  • By stoping the IIS Worker Processes.


Cookies is manage by server (mostly) but use by client browser. The main purpose of cookies is store the states or data on client machine. Actually cookies is document. Let’s suppose for Chrome browser, cookies are save in following path.

Purposes of cookies:

  • To store the session id ( this session id is sent to server for each request ).
  • To save the frequently using data like ID/Password.
  • To display the recommended content (like Ads) or results according to cookies data.

How to destroy or clear the cookies data?

Every browser has option to clear the cookies manually. Each browser has own cookies data.

Why only one user can login at a time on same browser?

Because browser is stored identical data for same website. For example: User login to website and server return the “session_id=123456xyz” in cookies. Now user open the second tab and login with different login id. Since server generate session_id every time on login action that’s why server return new generated “session_id=987654abc” and browser cookies store the new “session_id=987654abc”. Now if user can’t send old “session_id=123456xyz”. But this user can login by other browser.

Flow of Session and Cookies in ASP.Net

On first time Page_Load:

  • Session.IsnewSession is “true”
  • Request.Cookies[“ASP.NET_SessionId”] = null
  • After page load Browser cookies has key “ASP.NET_SessionId” with value.

On second time Page_Load

  • Session.IsnewSession is “false”
  • Request.Cookies[“ASP.NET_SessionId”] => is not null.

Now every time browser send the same “ASP.Net_SessionId”.

How to add cookies in ASP.NET?

Please take a look at my article SOAP VS REST