How to store an object in a cookie?

c# session object cookies store
Shaokan picture Shaokan · Jul 8, 2011 · Viewed 44.9k times · Source

While this is possible in C#: (User is a L2S class in this instance)

User user = // function to get user
Session["User"] = user;

why this is not possible?

User user = // function to get user
HttpCookie cookie = new HttpCookie();
cookie.Value = user;

and how can it be done? I don't want to store the id of the user within the cookie and then do some validation.

Btw, if possible, is it secure to store an object within a cookie rather than only the ID ?

Answer

Marc Gravell picture Marc Gravell · Jul 8, 2011

A cookie is just string data; the only way to do that would be to serialize it as a string (xml, json, base-64 of arbitrary binary, whatever), however, you shouldn't really trust anything in a cookie if it relates to security information ("who am I?") as a: it is easy for the end-user to change it, and b: you don't want the overhead of anything biggish on every single request.

IMO, caching this as the server is the correct thing; don't put this in a cookie.

Related questions

How to set session timeout in web.config

I have tried very hard but cannot find a solution on how to set session timeout value for in-process session for an ASP.Net web application. I am using VSTS 2008 + .Net 3.5 + C#. Here is what I wrote by myself to …

Read More
How to delete cookies on an ASP.NET website

In my website when the user clicks on the "Logout" button, the Logout.aspx page loads with code Session.Clear(). In ASP.NET/C#, does this clear all cookies? Or is there any other code that needs to be added …

Read More
How to Kill A Session or Session ID (ASP.NET/C#)

How can I destroy a session (Session["Name"]) when the user clicks the logout button? I'm looking through the ASP.NET API Reference on MSDN and it doesn't seem to have much information. It seems rather limited. But I cannot …

Read More