Still ok to use Session variables in ASP.NET mvc, or is there a better alternative for some things (like a cart)

Question

I have a situation where I need access to a shopping cart over several pages. So, on the product page - create the cart an add some items On the cart checkout page - confirm the billing address On the cart checkout post - do a final check, add cart to DB and go off to payment

My question is, whats the best way to pass around the cart?

I have tried passing the Cart from page to postback and keeping all the values alive, however on some pages (the billing address confirmation page) this seems like a lot of hassle, all I want to check is the billing address and dont really want tons of HiddenFor() on the page to populate the cart back again

TempData[] is what I used for the product to checkout page, then wondered is it best to keep on setting TempData all the time when....

you could just use a session variable?

For some reason I read its not great practice to use Session, hence the question.

Thanks for your guidance, I can happy provide some code/more info if you deem it helpful.

best answer is from @NightOwl888 "For a shopping cart, you should definitely not use session state" — Adeem, Mar 29 '17 at 14:09

score 58 · Accepted Answer · edited Jul 13 '15 at 15:04

It is perfectly OK to use sessions in ASP.NET MVC, especially in the shopping cart scenario of yours.

There are drawbacks of using sessions, but they seem not to apply to your case:

1) The sessions prevent a user to properly browse your site from multiple browser tabs, the changes made in one tab are reflected in all others. But with a shopping cart, it's exactly what you need. You don't need several shopping carts per user, do you?

2) The sessions aren't persisted by default, and if you're operating on a webfarm, you need to save the sessions in your database to be accessible by every farm node. But it seems unlikely that you're scaling like this. And if you meet the scaling neccessity, sessions won't be your top problems.

3) Sessions require additional functionality from the user's browser (typically, cookies). But modern browsers all support cookies, so you only have to worry about very special browsers.

There are also some benefits of the sessions over hidden inputs:

1) The smaller overhead. Only a small session cookie is passed back and forth between you and the client, rather than the complete set of hidden inputs.

2) Simpler programming. You don't have to make sure you included your hidden inputs in every single one of your pages.

3) Security. The client can alter the contents of hidden inputs however he pleases. You can't easily pass sensitive information via hidden inputs, you need to encrypt it. Session values are stored on the server, so the client doesn't have access to them.

score 11 · Answer 2 · answered Jul 19 '11 at 09:18

Sessions are fine, but consider the Amazon-style system whereby you are issued with a recognition cookie even when you are not logged in. This allows them to store your shopping basket in the database, keyed against the recognition cookie.

The result is that you avoid the horrible user experience of losing your shopping basket due to session timeout / server appdomain recycling (the latter is mitigated by using SQLState session storage, which I recommend). The user can come back days later and their basket will still be there. Unless that's a security / privacy problem, I find it the better solution.

score 10 · Answer 3 · answered Jul 19 '11 at 08:54

10

It is very much ok to use session with asp.net mvc application. steve sanderson has used session for cart in sample application that comes with his book. The code is available here

answered Jul 19 '11 at 08:54

Muhammad Adeel Zahid

17,474
14
90
155

2

+1 - It's ok to use session still, but need to be careful not to overuse it as was the norm in webforms. A fat session still isn't a good thing. – Michael Shimmins Jul 19 '11 at 09:05
i mean using where needed. as Zurty explained we should not be overusing it. cart is one of perfect scenarios that calls for using session – Muhammad Adeel Zahid Jul 19 '11 at 10:06

score 5 · Answer 4 · answered Jul 19 '11 at 09:02

5

I would use Session, unless there were reasons to avoid it.

For example, I have one project where I have repeated calls to an MVC action in the background. This action serves a file, which is slow over the network. I used to use Session, but I quickly discovered the main adverse effect: IIS won't execute calls from the same user in parallel, but only sequentially one after the other. This had a dramatic impact on performance, so I used an alternative method: I set HttpContext.User.Identity to the username, and use it as the key to fetch things from the database. But you could probably set it to some random GUID and have this to replace Sessions.

answered Jul 19 '11 at 09:02

Palantir

23,820
10
76
86

4

It's true that for ASP.NET pages that have Session enabled, and general MVC Controllers, same-user HTTP requests are synchronized due to session lock. However in MVC 3 you can control the Session-usage characteristics of a Controller by using the `SessionState` attribute. For example, to restrict use of session entirely on a controller and thereby allow asynchronous calls (e.g. for AJAX polling or a File serving), you would use `[SessionState(System.Web.SessionState.SessionStateBehavior.Disabled)]`. For more info: http://tech-journals.com/jonow/2011/10/22/the-downsides-of-asp-net-session-state – James McCormack Aug 01 '12 at 09:36

score 4 · Answer 5 · answered Apr 14 '16 at 17:54

For a shopping cart, you should definitely not use session state. A sound approach is to use the Anonymous Identification Module to manage a cookie for you. All you need is one line in web.config.

<system.web>
    <anonymousIdentification enabled="true" />
</system.web>

Then, on each request you can use the Request.AnonymousID property (which returns a string representing a GUID) to lookup the shopping cart in the database.

public ActionResult ShowCartDetails()
{
    var CartId = new Guid(Request.AnonymousID);

    // Lookup cart...

    return View();
}

This is not only more efficient than using session state, it is also simpler.

References:

score 2 · Answer 6 · answered Jul 19 '11 at 08:54

2

I tend to use a cookie with my shopping cart serialized into base64 string this seems to work quite well

answered Jul 19 '11 at 08:54

Simon

2,810
2
18
23

1

what are the benefits of doing this over a session variable? – Keeno Jul 19 '11 at 09:19
1

Pros: Reduce storage load on server, avoids session timeout issues. Cons: Increased size of HTTP traffic, requires more security checks to prevent malicious fiddling of the cookie data. Also bear in mind that there is a limit to the size of data stored in the cookie: http://myownplayground.atspace.com/cookietest.html – James McCormack Jul 19 '11 at 09:32
What @Zootius said. I wasn't saying you should do this, just giving another option – Simon Jul 19 '11 at 09:42

score 0 · Answer 7 · answered May 27 '18 at 08:29

In cart system the products that are added to cart are very important so using session is not good idea in my view. Using cookies and a temporary table in database is one of best Idea. We can store those data for forever or can clear after certain days.

Still ok to use Session variables in ASP.NET mvc, or is there a better alternative for some things (like a cart)

7 Answers7

Linked