I'm creating a website which has a login function. Once the user logs in, they are shown a button that allows them to log out. When the user logs in, a boolean variable on the server is changed to "true", because the user has logged in. When the user clicks the logout button, the boolean variable changes to "false". My question is, should I be storing this information in a http cookie instead of a variable? (I'm thinking that storing this in a variable on the server might slow down the website.) I'm using this variable for the purpose of letting the user go directly to the website the next time they visit if they haven't logged out, instead of having to login every single time.

There are pros and cons to using a cookie to store login variables for a website.

Pro:

  • Cookies can be set to terminate either at end of session or after a specified time period
  • Cookies are relatively easy to write/read
  • Cookies are client side and don't require much server overhead

Con:

  • Cookies can be read easily and possibly 'impersonated'
  • Cookies can be easily mis-coded
  • Many people disallow cookies on their browsers

There are other factors to consider but my purpose is just to give an overview of cookies' usefulness.

If you utilize non-descript variables in the cookies (such that it's not apparent that it's a login credential) you should be relatively ok using them for this purpose. Keep in mind that unless otherwise coded, cookies self-terminate as soon as all browser windows are closed (ie: browser 'session' ends).

Generally, for the purpose you've described, cookies will likely be the best bet as they are one of the few persistent methods of session state control available. Your only major drawback is that it obviously won't work if the user doesn't allow cookies on their machine.

Thanks, but I think you misunderstood my question. I currently have an actual boolean variable that stores the login status. Would it cause a problem, over time, with the speed of the website?

Perhaps I wasn't 'clear' enough with my answer then :P

From what you had said:
>>My question is, should I be storing this information in a http cookie instead of a variable?

And you had indicated one of the concerns was overall processing requirements compared to your variable approach.

My answer basically was to give an overview of the pros/cons of cookie usage for this sort of thing...

Essentially, cookie:

  • user-end = less 'server end' processing
  • User-visible
  • Can be disallowed by the browser negating effectiveness

Server-side user login based variable:

  • Server-end (obviously)
  • Invisible to the user
  • Not affected by browser settings

Beyond that, the choice is yours... If it's being checked against frequently then the cookie method may be better as it doesn't require additional calls to the server to check the bool setting. If it's being checked against infrequently or security is of concern then the server-side bool is better.

Alternately, if you need to use the server-side (hidden from user, better 'security' of information) you can always restrict the call to the beginning and end of the 'login session' and simply pass the value forward from page to page. The problem there is you would need some sort of if/else in place on each page where it checks to see if the value was passed locally from another calling page and if it doesn't find it, it then goes to the server to check there. (dunno if that makes much sense but I couldn't think of a better way to put it).

EDIT: I just realized this would actually not work for the other portion of your question relating to a person leaving and returning without logging out.

Hope that's more clear and helpful :)

Cool thanks. I guess I'll stick with the server side variable since I've already made it. lol

Unless you're planning for there to be a vast number of users logging in simultaneously you should be fine with the server-side solution. You might just want to ensure there are the least possible number of server-calls for the confirmation that you need (ie: once per page instead of once per function that requires login creds).

Hope that helped at least :) Please remember to mark your thread solved once the issue is resolved.

if you are using FormsAuthentication then

write this on page load

if(Request.IsAuthenticated)
// Set Bool variable to true;
else
// Set Bool variable to false;

hope that helps.