Why would I not do session management with cookies?

In light of the new european laws: Is there a better way of doing session management? Cookies seem perfect because I don't have to store anything on 开发者_运维知识库the server, so a session can't be lost and it scales horizontally to any number of servers.

Store values in hidden fields which are persisted on the client in between postbacks, possibly encrypted depending upon your requirements.

If you are using ASP.NET there are numerous facilities already available for this purpose, ViewState will allow you to effectively accomplish the same thing as a cookie so long as you don't need the information to be persisted across sessions.

If you are not using ASP.NET, you are probably going to have to write your own server-side components which will "set" your persisted data for you (encrypting it if necessary and then storing it in the appropriate hidden fields) and also to "get" the persisted data when its retrieval is necessary by accessing the hidden fields values and possibly decrypting. If you do this correctly you can re-use this component in all of your projects.

I hadn't heard anything about the new law but the first link on google looks like massive fail on the part of the nanny-state government in the U.K. We all know that old crusty legislators sticking their nose into technology regulation always ends well (facepalm).

Storing session data in cookies exposes that data, and possibly some inner-workings of your code, to anyone with access to the user's computer as well as men-in-the-middle. Even when encrypted, I don't like the idea. Also, I think a session would be easier lost if contained only in cookies, as many users dump cookies and associated history information fairly often. With a robust server side storage mechanism, the session data is more stable, IMO.