Cache VS Session VS cookies

asp.netcookiessessionstate-management

What are the do's and don'ts about Cache VS Session VS Cookies?

For example:
I'm using Session variables a lot and sometimes have problems in a booking-application when users start to order products and then go to lunch and come back some hours later and continue the booking. I store the booking in the session until the user confirms or aborts the booking so I don't need to talk to the database and handle halfway bookings in the database when users just click the X in the browser and never comes back.

Should I instead use cache or cookies or some combination for this?

(Also when there is some error in the app, the session-object resets itself and I get more problems because of that)

I'm mostly doing desktop-programming and feel I lack lots of knowledge here so anyone who can expand on where to use Cache, Session, Cookies (or db) would be appreciated

Edit: From the answers it seems that a combination of DB and cookies is what I want.

  1. I have to store the booking in the database connected to a session-id
  2. Store the session-id in a cookie (encrypted).
  3. Every page load checking the cookie and fetch the booking from the database
  4. I have a clean-up procedure that runs once a week that clears unfinished bookings.

I can't store the booking as a cookie because then the user can change prices and other sensitive data and I had to validate everything (can't trust the data).

Have I got it right?

And thanks for great explanations to all of you!

Best Answer

State management is a critical thing to master when coming to Web world from a desktop application perspective.

  • Session is used to store per-user information for the current Web session on the server. It supports using a database server as the back-end store.
  • Cookie should be used to store per-user information for the current Web session or persistent information on the client, therefore client has control over the contents of a cookie.
  • Cache object is shared between users in a single application. Its primary purpose is to cache data from a data store and should not be used as a primary storage. It supports automatic invalidation features.
  • Application object is shared between users to store application-wide state and should be used accordingly.

If your application is used by a number of unauthenticated users, I suggest you store the data in a cookie. If it requires authentication, you can either store the data in the DB manually or use ASP.NET profile management features.