How to: Write a Cookie

Cookies provide a means in Web applications to store user-specific information, such as history or user preferences. A cookie is a small bit of text that accompanies requests and responses as they go between the Web server and client. The cookie contains information that the Web application can read whenever the user visits the site.

The browser manages the cookies on client computers. Cookies are sent to the client using the HttpResponse object, which exposes a property called Cookies. Any cookies that you want your Web application to send to the browser must be added to this collection. When you write a new cookie, you must specify the Name and Value. Each cookie must have a unique name so that your Web application can identify it when the browser sends it with future requests.

There are two ways to write a cookie to a user's computer. You can either directly set cookie properties on the Cookies collection or you can create an instance of the HttpCookie object and add it to the Cookies collection. You must create cookies before the ASP.NET page is rendered to the client. For example, you can write a cookie in a Page_Load event handler but not in a Page_Unload event handler. For more information on the page life cycle see ASP.NET Page Life Cycle Overview.

For more information, see ASP.NET Cookies Overview.

  • In the ASP.NET page you want to write a cookie, assign properties to a cookie in the Cookies collection.

    The following code example shows a cookie named UserSettings with the values of the subkeys Font and Color set. It also sets the expiration time to be tomorrow.

    Response.Cookies("UserSettings")("Font") = "Arial"
    Response.Cookies("UserSettings")("Color") = "Blue"
    Response.Cookies("UserSettings").Expires = DateTime.Now.AddDays(1)
    
    Response.Cookies["UserSettings"]["Font"] = "Arial";
    Response.Cookies["UserSettings"]["Color"] = "Blue";
    Response.Cookies["UserSettings"].Expires = DateTime.Now.AddDays(1d);
    
  1. Create an object of type HttpCookie and assign it a name.

  2. Assign values to cookie's subkeys and set any cookie properties.

  3. Add the cookie to the Cookies collection.

    The following code example shows an instance of the HttpCookie object named myCookie, which represents a cookie named UserSettings.

    Dim myCookie As HttpCookie = New HttpCookie("UserSettings")
    myCookie("Font") = "Arial"
    myCookie("Color") = "Blue"
    myCookie.Expires = Now.AddDays(1)
    Response.Cookies.Add(myCookie)
    
    HttpCookie myCookie = new HttpCookie("UserSettings");
    myCookie["Font"] = "Arial";
    myCookie["Color"] = "Blue";
    myCookie.Expires = DateTime.Now.AddDays(1d);
    Response.Cookies.Add(myCookie);
    

Robust Programming

By default, cookies are shared by all pages that are in the same domain, but you can limit cookies to specific subfolders in a Web site by setting their Path property. To allow a cookie to be retrieved by all pages in all folders of your application, set it from a page that is in the root folder of your application and do not set the Path property.

If you do not specify an expiration limit for the cookie, the cookie is not persisted to the client computer and it expires when the user session expires.

Cookies can store values only of type String. You must convert any non-string values to strings before you can store them in a cookie. For many data types, calling the ToString method is sufficient. For more information, see the ToString method for the data type you wish to persist.

Security

Do not store sensitive information, such as a user name or a password, in a cookie. For more cookie security information see ASP.NET Cookies Overview.

See Also

Tasks

How to: Read a Cookie
How to: Delete a Cookie

Concepts

ASP.NET Cookies Overview
Basic Security Practices for Web Applications
ASP.NET State Management Overview