4

I'm not getting the concept web api and session.

I've created asp.net web api project and integrated angularjs in it.Every time I'm gonna call web api.

I have read the articles which state its not good to use session in Web api. I do understand that web api is stateless approach. I do agree. stil there is a way to use session.

First question: If, after login, i want to show user name on every page what should i do with web api approach????

second question: they say don't use session in webapi. then what is the other way/approach to store client information safely.

If I use HTML5 local storage, it can be editable. If cookie is used, it can be deleted.

What and how should I do it for user till application is in running mode?

Dennis Kriechel
  • 3,719
  • 14
  • 40
  • 62
micronyks
  • 54,797
  • 15
  • 112
  • 146

3 Answers3

2

This is where semantics often clouds the discussion. People confuse the Session object with statelessness. And often say: 'don't use session because it isn't stateless!'.

However they really mean that you should strive to have your the restful calls to be idempotent, meaning they don't change their behavior depending on whatever it is you do in the background.

Session, or the runtime-cache, or whatever it is you use to cache data, has no effect on your stateless design, because really, what's next? Your database is statefull too? And you shouldn't read data from that? Nonsense obviously; your underlying storage, if it's in-memory or on disk has no reflection on your state to the client.

Although I feel @MajoB makes other valid points about not using the session object, there is really no harm using some kind of cache in the web api, session or something else. But never let the fact if something is IN session return a different result then when something is OUT of session.

Gerben Rampaart
  • 9,853
  • 3
  • 26
  • 32
1

I would recommend you to avoid asp.session because it may cause performance issues and can expire anytime regardless of your application state, does not scale on cloud, it will block concurrent ajax requests). Better approach would be to use HTML 5 storage mechanism especially in conjunction with AngularJs (you can use ng-storage https://github.com/gsklee/ngStorage).

Marian Ban
  • 8,158
  • 1
  • 32
  • 45
  • But if I use sessionStorage of HTML 5 and store username in it after login. Localstorage is editable and so I don't feel safe with it. What with f12, if I change Username??? – micronyks Dec 02 '14 at 08:39
  • 1
    @micronyks yes you can but you can also edit the html of that page in same way by pressing F12, but this changes will affect only your local browser and will be not performed by regular users. The only think which you have to be aware of are secure information (like passwords) which shouldn't be stored on client side in not encrypted state. – Marian Ban Dec 02 '14 at 08:45
0

I would recommend you use asp.net identity and render user information on server.

Mikalai
  • 1,515
  • 8
  • 21
  • My idea is not storing user information on client. You can access user information in view like [this](http://stackoverflow.com/questions/263486/how-to-get-current-user-in-asp-net-mvc). Also in most cases asp.net web api is used with asp.net mvc – Mikalai Dec 02 '14 at 09:02
  • I don't understand your way. I'm using pure wab api and not mvc controller. I dont know how to go ahead. – micronyks Dec 02 '14 at 09:07