Does Session use cookies in Asp.Net?

It’s very confusing for many developers that session use cookies or not, and also a interesting interview question for .net developer ūüôā Let’s understand the relation between session and cookies-

Does session use cookies? Answer is- YES and NO.

One more confusion?

While using session in the application we have two things which are SessionID which is used to uniquely identify the session variables and Session Value which is the actual data stored in the session variables.

As session is a server side and cookies are client side state management techniques, so session actual data always stored on the server memory by default. The following list describes the available session storage modes-

  • InProc¬†mode,¬†which stores session state in memory on the Web server. This is the default.
  • StateServer¬†mode,¬†which stores session state in a separate process called the ASP.NET state service. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.
  • SQLServer¬†mode¬†stores session state in a SQL¬†Server database. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.
  • Custom¬†mode, which enables you to specify a custom storage provider.
  • Off¬†mode,¬†which disables session state.

I hope it’s clear that session data is stored on the server and has no relationship with the cookies.

Now let’s understand the session keys storage types-





Session and cookies relationship are limited to only session keys not session value.


Session¬†use¬†cookies¬†‚ÄstYes¬†: ¬†By default¬†Session key is stored in an HTTP ¬†non-persistent cookie that the client sends to the server (and server to client)¬†on each request/responses.¬†The server can then read the key from the cookie and re-inflate the server session state.

If we will try to run below code after disabled the cookies then it will not work that proves that session use the cookies.

Session¬†use¬†cookies¬†‚ÄstNo¬†: There is the possibility that¬†browser does not support cookie or disabled, then can not create a cookie to store session keys.¬†ASP.NET offers an alternative in the form of cookieless sessions. You can configure your application to store session keys not in a cookie, but in the URLs. This can be done by setting cookieless=‚ÄĚtrue‚ÄĚ in the web.config file ¬†as-

<sessionstate cookieless=‚ÄĚtrue‚ÄĚ />



Programming is Easy…

What is Cookies in .Net?

Cookies are used to store data at client side. It can be used to store user name on login form or in the shopping site to store cart items etc…

There are two type of cookies-

  • Persistent cookies–  This type of cookies value does not lost even after close the browser window. Values are stored at client side until its expiration date. To create the persistent cookies just set the cookies expiration date like 1 day, 2 day etc..
  • Non Persistent cookies – This type of cookies values lost after close the browser window. To create this type of cookies do not add the expiration date.

To delete the existing cookies just set the cookies expiration date to any past date.

Cookies are created via the Response.Cookies object and can  be read using Request.Cookies object. Cookies can be created to store single value and multiple value.  Benefit of creating the multi value cookies is that we do not need to set the expiration date for each.