There are different ways web applications can store state all with advantages and disadvantages and varying use cases. The table below summarizes how hidden fields, URLs, cookies and server-side sessions are used to store state in web applications.
| Hidden Fields | URL | Cookies | Sessions | |
| storage space | No limit, the more data you store the slower pages will load. | Limited by URL length (2000 characters) | Limited to 4000 characters | Unlimited, provided you can store that information on your own servers. |
| storage location | on client | on client | on client | on server |
| visibility | visible in HTML code | visible in browser’s address bar | visible if you know how to view them | invisible as it is stored on the server |
| security | low | low | low | relatively secure: state information kept on server, never transferred across network. (with the exception of the client session ID) |
| format | string | string | string | original object format |
| lifetime | closing browser | closing of web page | indefinite (can set cookies to expire in 2099) | indefinite, since you are storing it on your own servers. Can choose to remove dead sessions after X minutes. |
Sessions in ASP.NET
.NET tries to simplify session management as it uses the HttpSessionState class tomanage sessions for you. This class gives you a number of options allowing you to specifiy the sessiontimeout, use of cookies etc. .NET uses a 120-bit identification number to identify and keep track of clients and their state.
I hope this post serves as a concise summary of different approaches to storing state in web applications.
