Wednesday, March 9, 2016

Don't Make Me Think - by Steve Krug

Ch. No. Title Learnings
1 Don’t make me think! Website design should be as much obvious as possible.
2 How we really use the Web Website should be easy to scan through and reach desired content.
3 Billboard Design 101 visual hierarchies
Follow widely accepted conventions
4 Animal, Vegetable, or Mineral? a)It doesn’t matter how many times I have to click, as long as each click is a mindless, unambiguous
- brief timely and unavoidable assistance
5 Omit needless Words Get rid of half the words on each page, then get rid of half of what’s left.
6 Street signs and Breadcrumbs People won’t use your Web site if they can’t find their way around it. where do I start?

Site Id, obvious Logo and Tagline
Sections and sub sections -(where am I also)
Page name
  Areas on this page
  Items on this page
Local navigation
   up to nth level
Footer navigation
7 The Big Bang Theory of Web Design Home page design-
      Analyze why  and where people may visit the most.
clear and informative tagline, Welcome blurb, short sweet description
8 The Farmer and the Cowman Should Be Friends how to do usability tests and why
9 Usability testing on 10 cents a day promoting next book and how to do usability test
10 Mobile: It’s not just a city in Alabama anymore responsive design
Mobile Site/Full Site toggle
asynchronous calls to make the page load fast
choose important stuff of the so much
learning curve  for user
11 Usability as common courtesy save your goodwill - honors user's time
dynamic FAQ's - no marketing here
customer care access
error handling
printer friendly pages
12 Accessibility and you alt text
main menu skip
only keyboard
screen contrast
using predefined templates and variable size text fonts
13 Guide for the perplexed no phishing
no small, low-contrast type
no labels inside form fields
distinction between visited and unvisited text links.
No float headings between paragraphs

Website url
Video URL
Task You want to buy  a Laptop with below mentioned specifications:
  a. Lenovo
  b. Screen size not more than 14""
  c. RAM minimum 8 GB
  d. Processor minimum i5 5th generation
  e. hard drive minimum 500GB
  f. Weight maximum 5 Lb.
  g. price should be minimum possible.
1 Don’t make me think! OK
2 How we really use the Web OK
3 Billboard Design 101 OK
4 Animal, Vegetable, or Mineral? OK
5 Omit needless Words OK
6 Street signs and Breadcrumbs Rest is ok, local navigation needs improvements
7 The Big Bang Theory of Web Design No tagline
Changes products based on cookies of various searches I did at multiple sites - good.
Promotions at right place - good.
10 Mobile: It’s not just a city in Alabama anymore good responsive design.
Mentioned app link in the bottom.
 no link to full site since design is responsive.
11 Usability as common courtesy a.)wait time is too high for customer care.
b.)Chat link is down in help where user has lost the product. Chat option or customer care phone number should be prompt at the product itself
c.) Generation of i5 processor not mentioned, there is a model number which I don't understand
d.) good that they have a reference number on page to help the user to retrieve current sessions, but this text is in very light color.
12 Accessibility and you does not seem to be handling accessibility issues
13 Guide for the perplexed a). It is tracking my interests and location, but no cookies consent popup I saw yet.
b.) No distinction to identify visited links.

Video URL
Task Check WhoIs information for domain name "" along with the location of server where it is deployed.
1 Don’t make me think! The first row of page content of website is enough to puzzle me. I am not here to visit GoDaddy, Sedo or get the worth.
2 How we really use the Web I scanned the whole page to figure out what to do. Not even a single instruction.
3 Billboard Design 101 It seems to be a lot of information is literally poured on a single page. At least I figured out I need to type ""  in the search box in left navigation. But what does tld means, I don't know . Enter keypress should have done same action as that clicking on the magnifier icon.
Also, there are too many h1 tags, no h2, h3 or something like that.
Further big value by statsie indicate like shouting, buy this domain, but I am here only to get WhoIs information.
4 Animal, Vegetable, or Mineral? Even though, I clicked only once to reach WhoIs information page, I had to think quite few seconds. This is not good.
5 Omit needless Words Under whoIs Information, there is so much content which is useless to me. I only need address, email and phone number. Rest is crap.
6 Street signs and Breadcrumbs A.)On the name of site ID, there is the website url
B.) On the name of utilities there is only about us and Facebook share. No login or site map or something like that. One thing here, if there is no login, how previously searched in left navigation calculated ?
C.) On the whole page there are various H1 tags no subsections or similar hierarchy .
D.) There is no page name at all, leave about areas or breadcrumb.
E.) Local navigation is very limited, which only tells about how many visitors came here or are currently online, I think this is wrong place to mention such info.
F.) No footer navigation is present.
G.) If you visit previously searched, grid is not good, not even a back page button, only next is there. further there must be page numbers to jump far off page in the grid.
H.) There is no filters for TLD's
7 The Big Bang Theory of Web Design A.)No Site Id here, leave aside the tagline.
B.) There is no description or introduction at all.
C.)It seems to be godaddy/sedo are there for promotion ( not sure, because when we travel third party website, I don't see any cookies or identifier transferred).
D.) Too much information on home page, it's worth dividing into multiple pages.
10 Mobile: It’s not just a city in Alabama anymore A.)good responsive design, but the navigation doesn't look good on smaller resolutions.
B.)In Mobile view(smaller resolution), few grids like location information are giving horizontal scroll which is against standards.
C.) I observe many asynchronous content loads which is good for mobile and slow internet connects.
11 Usability as common courtesy a.)There is no contact us section.
b.)If I click on about us, it gives entirely different design - loss of confidence.
c.) Try to search invalid domain. Proper error handling is missing.
12 Accessibility and you does not seem to be handling accessibility issues
13 Guide for the perplexed a). It is tracking my interests and location, but no cookies consent popup I saw yet.
b.) No distinction to identify visited links.

Website url
Video URL
Task You want to buy  a Laptop with below mentioned specifications:
  a. hp
  b. Screen size not more than 14""
  c. RAM minimum 8 GB
  d. Processor minimum i5 5th generation
  e. hard drive minimum 500GB
  f. Weight maximum 5 Lb.
  g. price should be minimum possible.
1 Don’t make me think! Ok
2 How we really use the Web bad. No laptops in view all.  Test stops here . Such a big name and fails the basic test!!
3 Billboard Design 101 N/A
4 Animal, Vegetable, or Mineral? N/A
5 Omit needless Words N/A
6 Street signs and Breadcrumbs N/A
7 The Big Bang Theory of Web Design N/A
10 Mobile: It’s not just a city in Alabama anymore N/A
11 Usability as common courtesy N/A
12 Accessibility and you N/A
13 Guide for the perplexed N/A

Video URL
Task You want to buy  a Laptop with below mentioned specifications:
  a. Dell
  b. Screen size not more than 14"
  c. RAM minimum 8 GB
  d. Processor minimum i5 5th generation
  e. hard drive minimum 500GB
  f. Weight maximum 5 Lb.
  g. price should be minimum possible.
1 Don’t make me think! website design is simple yet meaningful so OK
2 How we really use the Web OK
3 Billboard Design 101 OK
4 Animal, Vegetable, or Mineral? OK
5 Omit needless Words OK
6 Street signs and Breadcrumbs Rest is ok, main navigation need improvement for laptop category
7 The Big Bang Theory of Web Design There is no tagline but carousel heading covers it.
10 Mobile: It’s not just a city in Alabama anymore good responsive design.
 no link to full site since design is responsive.
11 Usability as common courtesy a.)wait time is too high for customer care if connected by phone, but chat wait time is low.
b.)Chat link is spread across everywhere, I like that.
c.) Even minute details of the laptop configuration is mentioned, I like that
d.)Exact laptop weight is not clear.
E.) everything including price match and refund policy link are clearly visible.
f.) After login I am thrown back to home page of site - to do all the selections again. This is heart breaking.
12 Accessibility and you does not seem to be handling accessibility issues fully.
13 Guide for the perplexed a). No tracking until I login with my account.
b.) No distinction to identify visited links.

Tuesday, March 8, 2016

Is Entity Framework the best performing option for PostgreSQL and .NET applications?

Updated on Monday, April 15, 2017
Object-relational mapping (ORM) solutions provide a virtual layer between actual application code and backend database (DB) being used in an application via create, read, update and delete (CRUD) operations. PostgreSQL has been one of the top notch backend DB being deployed with Microsoft .NET applications worldwide. This experiment will be targeting various ORM solutions which may perform well with Microsoft .NET platform and PostgreSQL as backend. The list of ORM solutions that will be evaluated includes NHibernate (NH), OrmLite, MicroLite, Entity Framework (EF), LINQ to PostgreSQL, I-Nercya EntityLite Core, Symbiotic Micro ORM x64, LLBLGen Pro, Uni.ORM, and FluentData. It’s very much true that one may be easy to setup and consume than the other, but scope of this experiment will be limited to analyzing these ORM solutions based on how fast they are able to perform CRUD operations with PostgreSQL and .NET.
-1. know your test system
0. Create test databases
1. EntityFramework6.exe
2. FluentData3.exe
3. InercyaEntityLite1121.exe
4. LINQtoPostgreSQL17x.exe
5. LLBLGenProLite51Console.exe
6. MicroLite6.exe
7. NHibernate4.exe
8. OrmLite.exe
9. SymbioticDataProviderPostgreSql2.exe
10. UniORM144.exe

git clone -b master

test Run output: (Average calculated from 10 Cycles)

As pdf:

Sunday, March 6, 2016

Designing a Database

Before analyzing most important factors to consider when designing a database, one must be aware of what is database design. It is the process of generating detailed data modal of a database. A data model organizes data elements and standardizes how the data elements relate to one another.
Data model may be conceptual, logical or physical in nature. A conceptual schema specifies the kinds of facts or propositions that can be expressed using the model. The logical data model captures the detailed business solution. The logical data model looks the same regardless of whether we are implementing in MongoDB or Oracle. This consists of descriptions of tables and columns, object oriented classes, and XML tags, among other things. Physical data model describes the physical means by which data are stored.
While designing a database, designer must follow these steps,
·         Determine the data to be stored in the database. This involves understanding the business and how the application is being proposed to behave.
·         Determine the relationships between the different data elements. Designer must be aware of and document how the business entities being discussed are interrelated.
·         Superimpose a logical structure upon the data on the basis of these relationships. Now designer must map business entities and logics to tables, views, primary key, foreign keys, normalization rules etc. In an Object database the storage objects correspond directly to the objects used by the Object-oriented programming language used to write the applications that will manage and access the data.
Some of the most important things to keep in mind while designing database are as follows:
1.      Understand Business
As mentioned above in steps of database design, understanding the business rules is most important, rest comes automatically by experience.
2.      Load on application and Volume of Data
You must be very much sure of how much load and concurrent users you are expecting. Do you need multiple servers or single server for both update and read? Always plan for much higher loads and data volume than anticipated as of today.
3.      Indexes
The application is going to be to more towards read operations or update/add? Indexes are likely to help more for a fast retrieval of records from a table. But if the update/add is going to be too much for the server to perform, it may actually reduce the performance.
4.      Normalization
The database designed must be structurally correct and optimal. Normalization rules may help a lot in this, but sometimes for the sake of performance, design being very specific to an application, these rules may be forgiven.
5.      Information  Integrity
Most of the big names database engines automatically enforce data integrity, but yes as a database designer, you may not be able to enforce certain business validation in DB itself, these must be clearly specified in the design documents. As a database designer, things like primary keys, foreign keys, transactions, triggers etc. are your responsibility.
6.      Security
Specifying Mode of authentication and hiding sensitive information via encryption is essential if business needs it. I have seen many deployments where multiple projects were using same credentials to access multiple databases. This is clearly not a standard practice to be followed. You must be aware of all the auditing features provided by the database engine being used.
7.      Backup and deployment policies
You must be aware of backup of deployment techniques and policies the organization is using, for whom you are designing the database.
8.      Programming platform
Database designer should be aware of the consuming application technology.
If you follow above mentioned thumb rules, most of the issues in production environment may be avoided even before they are encountered. Never forget those restless nights when a production issue comes and do the best you can well in time.
Chapple, M. (n.d.). Database Normalization Basics. Retrieved February 17, 2016, from
Chuan, C. H. (2010, September). A Quick-Start Tutorial on Relational Database Design. Retrieved February 17, 2016, from
Database design tutorial. (n.d.). Retrieved February 17, 2016, from
Feasel, K. (2014, April 24). SQL Injection: How it Works and How to Thwart it. Retrieved February 17, 2016, from
IBM. (n.d.). DB2 Version 9.7 for Linux, UNIX, and Windows. Retrieved February 17, 2016, from
Maulo, F., Bohlen, S., Maughan, J., Brown, R., Zaytsev, A., & Berggren, O. (2015, August 17). NHibernate (Version [Computer software]. Retrieved February 17, 2016, from
Microsoft. (n.d.). Maximum Capacity Specifications for SQL Server. Retrieved February 17, 2016, from
Oracle Corporation. (n.d.). 8 Database Auditing: Security Considerations. Retrieved February 17, 2016, from
Oracle Corporation. (2016, February 5). MySQL (Version 5.7.11) [Computer software]. Retrieved from
Oracle Corporation. (n.d.). Oracle Database Limits. Retrieved February 17, 2016, from
PostgreSQL Global Development Group. (2016, February 11). PostgreSQL (Version 9.5.1) [Computer software]. Retrieved from
Rojansky, S., Lenngren, E., Figueiredo, F., Jr., Uno, K., Asher, J., Cooley, J., . . . Saito, H. (2015, September 18). Npgsql for Entity Framework (Version 2.2.7) [Computer software]. Retrieved from
SoftwareInsider. (n.d.). MySQL. Retrieved February 17, 2016, from

Telly, M. (2009, February 24). What are the most important considerations when designing a database? Retrieved February 17, 2016, from

Get or Post ? - Yes it does matter!!

Get and Post are two of the ways to request server from a client using Hypertext Transfer Protocol (HTTP).
Get means retrieving information from server (in format as defined by the agreement,) identified based on Request-URI.
We may opt for Conditional get Request, where header may contain If-Modified-Since, If-Match, If-None-Match, or If-Range. This is to reduce load over the network. So, partial Get is also supported here with range header.
Important points to be noted here to choose Get or Post:
1.      As a general rule, in a typical form submission with METHOD="GET", the browser constructs a URL by taking the value of the action attribute, appending a “?” to it, then appending the form data set. The encoding type used in Get request may be “application/x-www-form-urlencoded”.
2.      GET requests can be cached. Also, you may bookmark and look into browser history to retrieve complete request later, but bookmarking and browser history is more of the client features and vary as per what client you are using to make Get request.
3.      Please note, only ASCII characters are allowed while using Get.
4.      You may not be able to hide sensitive information (query string parameters) and even if you use https, still the server logs will contain this information. So for transferring sensitive information Post discussed below is a better choice.
5.      Amount of information you may pass on to server will be limited in case of Get, URL length limit is 2083(1024 in certain cases).It is recommended to keep number of parameters in query string less than 2K, but some servers even handle up to 64K. All in all, you should have a justification like caching or anything like that to keep url’s so large if you want to stick to Get.
Off the topic, in PHP, you may use QUERY_STRING environment variable to retrieve the parameters passed in url. You may also use $_GET to get the array of sent data.
In this data posted is part of message body. This is used for data submission and caching is not an option here unless the response includes appropriate Cache-Control or Expires header fields.
Important points to be noted here to choose Get or Post:
1.      As a general rule, in a typical form submission with METHOD="POST",  a POST request is sent, using the value of the action attribute and a message created according to the content type specified by the enctype attribute. The encoding type used in Post request may be “application/x-www-form-urlencoded or multipart/form-data. Use multipart encoding for binary data”. You may pass query string parameters in a Post request too, if you wish to.
2.      Typically caching is not an option here under common scenarios. The most common browsers don't support bookmarking or history of the complete request.
3.      There are no restrictions on data type in the Post request. Binary data is also allowed.
4.      Post is a little bit safer than Get, since parameters are in message body as a thumb rule. But in case of Get on https, web travel is equally safe. Still server logs may be one of the reasons here to switch to Post in case of sensitive information passed on.
5.      Length of information posted may be huge in case of Post.

Off the topic, in PHP, you may use $_POST to get the array of sent data, based on complexity of the data.

Conditional GET Request. (2005). Retrieved February 02, 2016, from
GET vs POST. (n.d.). Retrieved February 02, 2016, from
HTTP Methods: GET vs. POST. (n.d.). Retrieved February 02, 2016, from
HTTP/1.1: Method Definitions. (n.d.). Retrieved February 02, 2016, from
Nottingham, M. (2012, September 24). Caching POST. Retrieved February 02, 2016, from
PHP GET and POST Method. (n.d.). Retrieved February 02, 2016, from

LAMP stack

LAMP, as the name suggests is a typical model of software subsystems (historically Linux, Apache, MySQL and PHP) bundled together to give a platform on the top of which web service based and similar applications may be deployed.
1.      Components are largely interchangeable. The software subsystems may vary, but since Linux, Apache, MYSQL and PHP are free, this combination is considered to be most common.  Other common variants are:
·         LAPP - Linux, Apache, PostGreSQL, Perl/Python/PHP
·         WAMP - Windows, Apache, MySQL, Perl/Python/PHP
·         MAMP - Macintosh, Apache, MySQL, Perl/Python/PHP
·         BAMP - BSD, Apache, MySQL, Perl/Python/PHP
·         WIMP - Windows, IIS, MySQL, Perl/Python/PHP
·         AMP - no operating system
We may justify why LAMP stack, by listing all the benefit of the components used and beauty is the interchangeability of the components, so choose the benefits you like.
2.      Availability of vast variety of free plugins make it even more lucrative; for example netsniff-ng (free Linux network analyzer and networking toolkit), Snort (an open source network-based intrusion detection system), RRDtool (round-robin database tool), Nagios (offers monitoring and alerting services for servers, switches, applications and services),collectd (a Unix daemon that collects, transfers and stores performance data of computers and network equipment) and  Cacti(web-based network monitoring and graphing tool) etc.
3.      Supports multiple server farm solutions for high loads and better availability. This is possible with additional components like load balancer.
4.      Deployment of applications is straight forward, in most scenarios, it may be copy and paste content. For most of the Linux based system, this is available by default.
5.      Security may not be an issue, being an open source and large user base, problems are resolved faster than what you could expect from other paid products.
6.      You may use various free packages to configure LAMP and similar solutions. One such famous package is XAMPP (cross platform, Apache, MYSQL/MariaDB, PHP, Perl) with vast variety of add-ons available for XAMPP.
Drawbacks of LAMP stack
Most of the time, when we are counting drawbacks of LAMP, we are cursing one of the software component being treated as one of the four layers or how they are integrated.
For example we may say, Apache is not the highest performant today in market, or point some issues in PHP or MYSQL and so on. 
You have to be very careful about choosing the right components, say the functionalities you need in your application need PHP 7.0, but if solution you are going for doesn’t support latest version at all, you may be in trouble (even though it may not be considered as a drawback for you since you know this issue and you will plan accordingly now). 
Alternative Technologies
LAMP is used to serve web content and pretty much everything which is capable of this feature, is an alternative in my opinion, be it the c# and .Net based webAPI’s or Java Servlet API  and so on. But when we talk about alternative technologies, we are generally changing one of the components and comparing them due to a variation in underlying components. For example LEMP stack (Linux, Nginx, MariaDB/MySQL, PHP) is a variant where Nginx replaces Apache. Few of the other variations are listed under “Why LAMP?” section above.
Mean Stack is termed as collection JavaScript based technologies used to develop web applications and I feel the strongest competitor today. It consists Node.js (server side JavaScript execution environment), Express (lightweight framework used to build web applications in Node, MongoDB ( schemaless NoSQL database system, considered far more better than MYSQL and similar) and AngularJS ( JavaScript framework developed by Google).
§  MongoDB is built for cloud and with lesser cost for better hardware today makes it more appealing than MYSQL and related. (But who says DB layer in LAMP cannot be MongoDB !!!)
§  Agreed, Node.js simplify the application development.
Benefits of Mean stack over LAMP stack are covered in lot more depth by Wayner (2015).
Brown, M. (2007, August 24). Understanding LAMP and its effect on web development. Retrieved from
Howitt, J. M. (2010, January 27). What are the advantages and disadvantages of running PHP on Windows [Web log comment]. Retrieved from
Leith, E. (2011, March 28). What are some disadvantages of LAMP stack? [Web log comment]. Retrieved from
LEMP [Computer software]. (2016). Retrieved from
Telly, B. (2013, March 08). Re-writing a large web application - alternatives to LAMP [Web log comment]. Retrieved from
Wayner, P. (2015, June 22). LAMP diehards take note: The flexible simplicity of MongoDB, ExpressJS, AngularJS, and Node.js is no joke. Retrieved from

XAMPP [Computer software]. (2015, December 31). Retrieved from

Are you a successful Web Developer?

Features the websites are expected to deliver had been ever increasing. As the scope becomes vast so do the opportunities for genii who have the potential to materialize these business needs. Now the question is what makes you as developer and path finder qualified enough to survive in this dynamic domain!!

Well, I have no prescription pills for you today which you can eat and you are good to go. But I may give you glimpses of, in what direction digital world is moving and what is expected today. It may be altogether a different story five years down the line!! It was only in 1990 when the first page was served on the open internet, just in twenty five years, look around where we are. The way content in managed and delivered or consumed is altogether took a different direction. Does that mean you want to be mere a speculator? I assume no, that’s why you are with me here today, right.

Those days are gone, when these tiny websites were used to deliver unsecured content and online content was considered to be optional for big names to be available. Today these websites are serving not only public content but highly confidential material which may worth billions and make an organization bankrupt if leaked. Now the only way left with we developers is to be a hacker. Does is it sounds crazy? But I mean it, the security measures we develop as we evolve to secure content is meant to be tweaked around and hacked at some point of time by someone smarter than the creator. So we need to constantly be one step ahead. The only way to maintain balance for own good is to patch the security hole before someone else find it.

If you have worked with any big service based organization, you must have observed they emphasize and appreciate reusable assets across the verticals and horizontals a lot. We see more and more versatile tools/products/complete solutions floating around in today’s era. Does this mean if you are making something reusable or launching a multidimensional versatile product, you are eating up developer’s job? This may sound crazy but answer is no. The rate with which demand is increasing supply is far behind. It only means we are trying to use resources in a better manner. But if you are kind of developer who is not willing to learn new things and utilize other’s efforts judiciously, in today’s market, it is difficult for you to survive. Yes, you must attain an expertise in a technology but don’t do the mistake to be dump enough and thrown off the business. World is changing around open your eyes.

Many new websites and solutions are launched very often today, but the one which earn more customers are able to survive. Here comes the unspecified and ever changing common sense of developers which they can utilize to make the projects profitable enough and earn repetitive business. You as a developer must create a product keeping usability aspects in mind. This may have included only a better css in past but today it means a lot more. A website may die soon without being device independent and companion iOS and android apps. This also means there is wider scope for developers to exist today in itself.

This may seem an endless topic to discuss but there is a finite shortcut here which you may always keep in mind. Now does it sound like a magic path? Well possibly it is but I call it a pointer, nothing more than that. Right from Archie search engine in 1990’s to google today, master minds are toiling to make it easy for end user to reach content of their interest as fast as possible. Why not keep eyes on search engine ranking logics prevalent the day today!! Google may rate a website better if it is mobile friendly, faster, authentic content wise, secured enough, liked by the mass (and many more).

But remember, these are only some of the parameters you may follow to help realize goals of your client.  If you win your client’s faith you are successful in this domain and remember client is smarter than you always, that’s why they hired a genius like you. If technology and you as a developer are evolving, so are the consumers becoming smarter.


Westerwick, A. (2013), Effects of Sponsorship, Web Site Design, and Google Ranking on the Credibility of Online Information. Journal of Computer-Mediated Communication, 18(2), 80–97. doi: 10.1111/jcc4.12006

Friday, March 4, 2016

Web is stateless

HTTP is a stateless protocol. You may use cookies and sessions to maintain the state of an application specific to an end user.
What are the differences between sessions and cookies?
HTTP cookie (web cookie/ Internet cookie, browser cookie or simply cookie) is a small piece of data sent from a website and stored in the user's web browser while the user is browsing. If  programmer doesn’t assign an expiration date to the cookie, it is lost with browser close. These are In-memory cookies for the browser, on the other hand you may set expiration date for the cookie to make it Persistent cookie. Persistent cookie deems to be stored on the client side hard drive and retrieved on next visit of website based on expiration date set by server side..
Programmers may use Response object to create and set cookie values, and Request object to retrieve the values of cookies created during previous interaction. Cookies are associated with a website, not with a specific page, so the browser and server will exchange cookie information no matter what page the user requests from your site (exception: see benefit section for Path property of Cookies).
1. The security of cookie generally depends on the security of the issuing website and the user's web browser, and on whether the cookie data is encrypted. Security vulnerabilities may allow a cookie's data to be read by a hacker, used to gain access to user data, or used to gain access (with the user's credentials) to the website to which the cookie belongs. You should never store sensitive data in a cookie, such as user names, passwords, credit card numbers, and so on. Do not put anything in a cookie that should not be in the hands of a user or of someone who might somehow steal the cookie information. This also means, on server side you should safeguard server side logics with extra validations, when you are taking inputs from cookies. (Less secured than session)
2. Most browsers support cookies of up to 4096 bytes. This limit is applied to the name-value portion of the cookie only. (No size limits in session)
3. Most browsers allow only 20 cookies per site; if you try to store more, the oldest cookies are discarded. Some browsers also put an absolute limit, usually 300, on the number of cookies they will accept from all sites combined. So, you may have to create cookies with sub-keys, in case you are reaching the count limits. ( No count limit in sessions)
4. User has the rights to deny using cookies. As per Cookie Law, your website must inform visitors how you use cookies. Also, you must write a dummy cookie in your web application implementation and read on server side, to verify if current browser of user is supporting cookies. (Session is server side, so user can’t handle /control sessions)
5. User has the ways to clear cookies on his web browser, no matter what expiration time you mentioned. (User can’t clear sessions without exposed functionality given to user)
6. You must check for nonexistence of a cookie key in request object to avoid null reference errors. (But similar is also true for sessions too)
7. In the request object, you will not get the expiration date of the cookie, if you are too much concerned about expiration date; you need to reset it every time on server side. (Session timeout is controlled in web.config in .net apps)
1. You may limit the scope of specific cookie to specific folder of website by defining Path property of cookie.
2. You may set the Domain property of cookie to limit scope to a specific domain/sub-domain.
3. You may request a browser to delete a cookie by setting expiration date earlier than current time, say yesterday.
4. You may create a new cookie on server side with same name as existing cookie and send its value to client, to modify an existing cookie.
5. We will discuss later in this post, what are server side sessions and how they may get benefit from cookies.
A session can be defined as server-side storage of information that is desired to persist throughout the user's interaction with the web site or web application. Dealing with sessions without cookies is a mess as described in benefits of cookies above. Web applications transmit session Ids from server side as cookie, so that during next request session id in next request may identify the session. Some older browsers do not support cookies or the user may disable cookies in the browser, in that case sessionId may be munged in the each href clickable on the page. This seems more unsecured to me than disabling cookies though.
Types of Session Implementation: Sessions may be implemented in-memory on server side (InProc session mode), using state server services (Aspnet_state.exe), SQL server or by custom providers in .Net applications and SQL Server session mode is a more reliable & secure session state management as per Jana (2009). In PHP based applications, you may edit php.ini and set the session.save_handler and use external DB to store sessions as per Waterson (2015). Possible values for save_handler in PHP could be files (default), mm, database and SQLLite. PHP provides a function that lets you override the default session mechanism by specifying the names of your own functions for taking care of the distinct tasks as per Shiflett (2004).
1. Easier to maintain user specific data across all the requests.
2. Kind of objects being stored are vast.
3. Much more secured and hidden from user as compared to cookies.
4. Under in-memory model, session data in a memory object of the current application domain. So accessing data is very fast and data is easily available.
5. There is not requirement of serialization to store data in InProc session mode.
6. In .Net Sessions may be handled at page level too. We may disable session or make it read-only on a specific page using EnableSessionSate property of page.
1. There is an overhead involved to serialize and de-serialize  objects in case of StateServer  and SQLServer session modes.
2. Under InProc session mode, If the worker process or application domain is recycled, all session data will be lost. We may want to switch to state services, external DB or custom provider here.
3. InProc session mode is the fastest, more session data and more users can affect performance, because of memory usage.
4. Under multiple server farm scenarios, InProc session mode is not used at all.
When might a developer choose one or the other?
First thing first, as defined in definition of session above, session needs cookie to be implemented for storing session Id at least. If a specific information need not be secured (as defined in  limitation 1 of cookie above), and the size is small, cookie may be chosen to store this information, e.g. cart items of the user, user preferences without login for next visit on the same site and so on. On the other hand, secured and heavy information is never passed on to client side cookies as defined in benefit 3 of session above.
Are there any privacy or security implications to using either?
Session objects are on server side, that does not mean they are fully secured, but for sure much more secured than cookies on client side they are. Sessions will be as much secure as you make them, but cookies don't qualify to be in this race as defined by limitation 1 of cookies. You may try to make session more secured by using external DB or use EnableSessionSate property of web pages to make them more secured in .Net.
What benefits do they provide to the developer that might override those privacy and security implications?
Cookies put less overhead on the server side, if the information need not be secured like tracking cookies, website usability etc. we may choose it. Detailed benefits and limitations of cookies as compared to sessions may be analyzed in Limitation/Benefit sections above.
Auger, R. (2011, January). Cross Site Scripting. Retrieved March 03, 2016, from Site Scripting
Iain. (n.d.). Browser Cookie Limits. Retrieved March 03, 2016, from
Jana, A. (2009, January 23). Exploring Session in ASP.NET. Retrieved March 03, 2016, from
LassoSoft. (n.d.). Lasso Programming: Tutorial: Understanding Cookies and Sessions. Retrieved March 03, 2016, from
Microsoft. (n.d.). Maintaining Session State with Cookies. Retrieved March 03, 2016, from
Microsoft. (2011). ASP.NET Cookies Overview. Retrieved March 03, 2016, from
Optanon. (n.d.). The Cookie Law Explained. Retrieved March 03, 2016, from
Shiflett, C. (2004, December 14). Storing Sessions in a Database. Retrieved March 03, 2016, from

Waterson, K. (2015, May 8). Introduction To PHP Sessions. Retrieved March 03, 2016, from