1

So, im working in a huge .NET MVC 3 system. As many users could be logged in at same time. I was just writting a way of "hey there's still someone logged with this key" with HttpContext. But, is this the best practice ? is it better to Query DB ?

what i wrote:

     MvcApplication.SessionsLock();

        if (!force && MvcApplication.Sessions.Values.Any(p => p.ID.Equals(acesso.id_usuario.ToString(CultureInfo.InvariantCulture)) && p.Valid))
            throw new BusinessException("There's another user logged with this key. Continue ?");

     MvcApplication.SessionsUnlock();

our I can query my DB.. maybe cookies ? any ideas would be appreciated

tereško
  • 58,060
  • 25
  • 98
  • 150
Jaime Yule
  • 981
  • 1
  • 11
  • 20
  • How are you going to differentiate between two session of same user and two sessions of different users with same access key? – Sergei Rogovtcev Aug 16 '12 at 18:54
  • didn't understand your question.. my *post* to login in the system send CPF(Personal Registration) and password. CPF is unique. So if the same CPF try to loggin... you know. – Jaime Yule Aug 16 '12 at 19:13
  • Are you using the Membership Provider either out of the box or rolled your own? – Luke Baughan Aug 16 '12 at 19:20
  • I'm not using Membership Provider. Just setting by my one.. the thing is: I want to know if *session* is a good practice. That piece of code works. But i have been reading a lot of articles deprecating usage of sessions on ASP.NET MVC Application. – Jaime Yule Aug 16 '12 at 19:26
  • Why can't user login twice? And no, `Session` will not work at all, because it is not shared between several users. – Sergei Rogovtcev Aug 16 '12 at 19:39
  • it's not login twice. It's 2 distinct logins with same *userName* for example. _session_ is per client. 'MvcApplication.Sessions' is a Dictionary of users _session_ – Jaime Yule Aug 16 '12 at 20:17

1 Answers1

1

Storage

The database provides a central, durable location for this information. You might use a custom data structure, or ASP.Net SQL session might meet your requirements (more below on this).

There is not a deterministic way of always knowing exactly when a user's session ended. For example, you can listen to the Session End event, but it will only fire for in-process sessions and is not guaranteed to fire at all (e.g. the OS could crash).

Regardless, if you are building a "huge system" as you state, you shouldn't design against using in-proc session as it won't scale upwards. Start thinking about SQL-based session state which is more scalable (and may give you enough information to determine roughly how many users are active).

Session Pro/Con

I want to know if session is a good practice. That piece of code works. But i have been reading a lot of articles deprecating usage of sessions on ASP.NET MVC Application.

As far as Session being a good or bad thing--as always--it depends on how it is used. Properly designed MVC apps can present fairly complex views without needing to preserve state. Part of this is due to strong support for AJAX (no need to reload the page) and elegant model binding (which can take a complex Request.Form and turn it into a complete model).

Conversely, there is nothing inherently wrong with putting small snippets of repeatedly-used information into session state, using it to avoid sending sensitive data to the client, using it to make a smoother user flow, etc.

Do beware of session fixation attacks in high-security scenarios. Session may not be appropriate and/or may need to be manually secured further.

One thing to be aware of is that ASP.Net places a lock on session. This can lead to very real performance issues when multiple requests are made at once. Normally, this isn't an issue, but consider a page with a dozen AJAX widgets which all requested data from a controller or endpoint that used session. These will contend with each other (firsthand experience).

MVC provides an easy way to mark a controller as needing only readonly access to Session, which eliminates the issue. However, any read/write activity to Session will still be serialized, so plan accordingly.

Business Considerations

From a business perspective it's not always important to know that the session has expired so much as work has ceased (do you care that they stopped using the site, or that their session timed out?) This can be reliably addressed by checking last modified timestamps on entities and warning the users. Warn, don't lock. In my opinion, you shouldn rarely/never lock records based on login/logout in a web application (too easy to get stuck in a locked status).

Community
  • 1
  • 1
Tim M.
  • 53,671
  • 14
  • 120
  • 163
  • wow. thanks, im using session only to check user. And im using ajax with knockout so it's the system is huge but nice. When a user log-in I save it on the base and create a session for him. The problem is.. my boss don't want to let 2 users with the same credentials to log-in simuntanily, then you can say "search the damm table". Yes it's a way.. but when an user log-in I consume a webService from another huge system, it take a good time. Another query there is not a good idea. I'm developying now a class to store cockies with credentials of everyone LOGGED. Then, destroying it after *logoff* – Jaime Yule Aug 18 '12 at 21:16