CookieJar is a custom session state store provider that stores the session information in a cookie instead of server side.
I'm not going to go into a debate on whether this is a good idea or not. This is just an exercise I wanted to do. Feel free to use this if you want, I make no claims to it being a robust solution.
The data contained in the cookie is encrypted using the machine key information. The session id generated by ASP.NET is also embedded within the data. Regardless of any expiration set for the cookie, if the session id should change, the session will clear everything out that might exist.
You can configure the custom provider in the web.config file
<system.web>
<sessionState mode="Custom" customProvider="CookieSessionProvider">
<providers>
<add name="CookieSessionProvider" type="CookieJar.CookieSessionStateStore, CookieJar" />
</providers>
</sessionState>
<system.web>There are a few config values you can also specify when setting up the provider information
<add name="CookieSessionProvider" type="CookieJar.CookieSessionStateStore, CookieJar" cookieName=".DTSTR" httpOnly="true" secureOnly="false" setExpiration="false" />-
cookieName - Configures the name of the cookie used to store the data. Default is ".DTSTR".
-
httpOnly - Sets the HttpOnly property of the cookie. Default is true.
-
secureOnly - Sets the Secure propery of the cookie. True means the cookie will only be sent over a secure connection. Default is false.
-
setExpiration - If set to true, this will set an expiration date on the session cookie based on the timeout value specified by the sessionState. Default is false.
- Session State Providers
- Implementing a Session-State Store Provider
- This twitter conversation is what kicked off the idea of trying this out.