1

Are there any reasons why static classes in Asp.Net can lead to a security threat? Do not objects just live in current session ?

Thank you!

Andrey Korneyev
  • 26,353
  • 15
  • 70
  • 71
eriksv88
  • 3,482
  • 3
  • 31
  • 50
  • Where did you read that? Could you please link it? – Sriram Sakthivel Nov 26 '14 at 09:14
  • Even without static *classes* you could still create static *variables* - which certainly wouldn't be tied to a particular session. This question is currently a bit too vague to answer... – Jon Skeet Nov 26 '14 at 09:15
  • just as an answer to your second question http://stackoverflow.com/questions/194999/are-static-class-instances-unique-to-a-request-or-a-server-in-asp-net – BRAHIM Kamel Nov 26 '14 at 09:20

2 Answers2

1

Objects live in a so called AppPool in the IIS. As long as that is not recycled, objects with static lifetime will be available. As one cannot reliably know when recycling happens, having static variables is a bad idea either way. Using them to hold data between calls or assuming they will not hold data between calls is both equally dangerous.

That said, if your static class does not hold data and only consists of methods, that's perfectly fine.

nvoigt
  • 75,013
  • 26
  • 93
  • 142
0

Static class has no instance, and consequently you should not be keeping any state of any object in side them. So theoretically it shouldn't be an issue with the security of designed correctly.

Now static variables on the other side could cause security issue if used improperly.

For example if variable like isLoggedIn is static, once one person logs in, every other user is automatically logged in because the variable will be true for every instance of the class using it.

Alexus
  • 942
  • 7
  • 20