site wide variables per user

Question

I have an MVC4 site that needs to maintain some information while (and ONLY while) the user is logged in. For example, once the user logs in, I get a 'user token' back that allows me access to several off site services.

I've tried two different approaches. The first was to use a public static class that accesses the user session. However, after reading up on static classes, I'm hesitant to use them. According to what I'm reading, static classes should only be used for read only objects, and I wasn't using it that way. Although the site site did seem to be working fine with a limited number of users (currently there's 10).

(If someone would like to explain to me why this is a bad idea in MVC4, please tell me and/or link to an article)

public class SessionAccessorClasses
{
    public const string SessionAccessorSessionVariablesString = "_SessionAccessorSessionVariables";
    public static SessionAccessorModel SessionVariables
    {
        get { return System.Web.HttpContext.Current.Session != null ? (SessionAccessorModel)System.Web.HttpContext.Current.Session[SessionAccessorSessionVariablesString] : null; }
        set { System.Web.HttpContext.Current.Session.Add(SessionAccessorSessionVariablesString, value); }
    }
}

My second (and current) approach is to use Session variables and access them using a globally available class.

public class SessionAccessorClasses
{
    private const string SessionAccessorSessionVariablesString = "_SessionAccessorSessionVariables";
    public SessionAccessorModel GetSessionVariables()
    {
        return System.Web.HttpContext.Current.Session != null ? (SessionAccessorModel)System.Web.HttpContext.Current.Session[SessionAccessorSessionVariablesString] : null;
    }
    public void SetSessionVariables(SessionAccessorModel value)
    {
        System.Web.HttpContext.Current.Session.Add(SessionAccessorSessionVariablesString, value);
    }
    public void ClearSessionVariables()
    {
        System.Web.HttpContext.Current.Session.Remove(SessionAccessorSessionVariablesString);
    }
}

This works fine, but I hesitate to call it good is because I don't fully understand why the public static class was such a bad idea, and because I now have to instantiate my new class at the beginning of nearly every function, and call the Set/Update function at the end of every function; which feels wrong somehow.

So first, since my original static class was accessing the users session, is it really that bad?

Second, is my second class a more appropriate way of doing things? Can you suggest improvements?

Third, if nothing else, can you give me the positive/negative aspects of doing it either way?

Static Classes, Fields, Methods and Properties exist only once per appDomain. This means that most if not all users using your website would share the Static classes (Properties.. etc). — Erik Philips, Jun 10 '14 at 18:51
@ErikPhilips, thank you, I wasn't sure how/where Static Classes were stored in MVC. But, since the class is only a wrapper for accessing the users session, what I call the `SessionAccessorModel` would be unique between users correct? — barbajoe, Jun 10 '14 at 18:56
I don't see anything *wrong* that would case a problem with the way `SessionAccessorModel` has been created. It should work as you need it to. — Erik Philips, Jun 10 '14 at 19:10

Erik Philips · Accepted Answer · 2014-06-10T19:14:19.353

You want to use Session in ASP.net. It was created for the purpose you describe.

ASP.NET session state enables you to store and retrieve values for a user as the user navigates ASP.NET pages in a Web application. HTTP is a stateless protocol. This means that a Web server treats each HTTP request for a page as an independent request. The server retains no knowledge of variable values that were used during previous requests. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides a way to persist variable values for the duration of that session. By default, ASP.NET session state is enabled for all ASP.NET applications.

I'm a fan of strongly-typed reusable session variables, so I wrote the following extensions to store whatever variables you want to create without the need to constantly remember magic strings.

public static class SessionExtensions
{
    public static bool TryGetValue<T>(this HttpSessionStateBase session, out T value) 
      where T : class
    {
        var name = typeof(T).FullName;

        value = session[name] as T;

        var result = value != null;

        return result;
    }

    public static void SetValue<T>(this HttpSessionStateBase session, T value)
    {
        var name = typeof(T).FullName;

        session[name] = value;
    }

    public static void RemoveValue<T>(this HttpSessionStateBase session)
    {
        var name = typeof(T).FullName;

        session[name] = null;
    }

    public static bool ValueExists(this HttpSessionStateBase session, Type objectType)
    {
        var name = objectType.FullName;

        var result = session[name] != null;

        return result;
    }
}

So if you have a class:

public MyClass
{
  public int MyInt { get; set; }
}

You can store it by simply:

Session.SetValue(MyClass);

that needs to maintain some information while (and ONLY while) the user is logged in.

These methods could be updated a few ways to fulfill this requirement. Here is one way:

public static bool TryGetAuthenticatedValue<T>(this HttpSessionStateBase session, 
  out T value) 
  where T : class
{
    value = null;

    if (HttpContext.Current.User != null
        && HttpContext.Current.User.Identity != null
        && HttpContext.Current.User.IsAuthenticated)
    {
      var name = typeof(T).FullName;

      value = session[name] as T;
    }

    var result = value != null;

    return result;
}

I would also recommend that whatever classes you store in session, be serializable. That is to say it has a parameterless constructor and marked as [Serializable].

if I use a public static class to access the session, will the data that I retrieve be unique to each user? and are there any other things to be aware of if I mix the Session and static classes together? — barbajoe, Jun 10 '14 at 18:59
[Static methods aren't inherently thread-safe.](http://stackoverflow.com/questions/1090650/are-static-methods-thread-safe) is a good read. Session is stored in such a way that it can only be retrieved by the *user/request* that created the value. — Erik Philips, Jun 10 '14 at 19:07
So to expand a little bit on my previous comment; The method itself is the same and shared across all requests, but the values used by the method can be shared or not shared depending on how the method is implemented. In my example the value returned is per *user/request*. — Erik Philips, Jun 10 '14 at 19:11
that's all extrememly helpful! question to make sure I understand all of it: the reason that this implementation is per *user/request* is because it utilizes Sessions correct? and if I wanted to share the information across users I would simply not use Sessions correct? — barbajoe, Jun 10 '14 at 19:30
Correct. Also for future thought, if you want to store values across the entire application you would want to use [HttpApplicationState](http://msdn.microsoft.com/en-us/library/system.web.httpapplicationstate.aspx) which is similar to Session but shared across all users/requests. — Erik Philips, Jun 10 '14 at 19:50

site wide variables per user

1 Answers1

Linked