0

In my project I use session to store user information ( username, password, personal image, and gender ) to be used in all pages of my project. I also use two other session to store small strings. Is there any disadvantage of using session ? also is there any risk of using session to store user password ?

gdoron
  • 147,333
  • 58
  • 291
  • 367
Ahmed Shamel
  • 1,982
  • 3
  • 24
  • 58
  • What does `I also use two other session to store small strings` mean? – gdoron Dec 06 '14 at 21:12
  • 5
    You really don't need to store the password. It's against common sense and raises possible severe security issues. – Wiktor Zychla Dec 06 '14 at 21:17
  • I mean there is 3 session in my project. One session is used to store user info, the second and the third session is used to store some int global variables. – Ahmed Shamel Dec 06 '14 at 21:19
  • If you ever move to a web farm, Session doesn't replicate across machines. So you'd have to manage the Session yourself per request to and from DB or disk. – Ashley Lee Dec 06 '14 at 21:35
  • @AshleyLee - ASP.Net session state supports cross-process sessions using SQL Server or a state service. This doesn't mean session is the correct choice, but a level of scalability *is* built into the framework. – Tim M. Dec 06 '14 at 21:37

2 Answers2

3

Some things to take into account:

  • Don't store passwords. You should hash the incoming password, validate against the hash in your DB, and not hold on to it afterwards.
  • You should try to avoid using a write-access Session throughout the application, since you'll end up forcing asp.net to serialize incoming requests from the same session. Use read-only Session to avoid that. This could become apparent if you initiate multiple ajax calls simultaneously. More info here: https://connect.microsoft.com/VisualStudio/feedback/details/610820/session-based-asp-net-requests-are-serialized-and-processed-in-a-seemingly-inverse-order
  • Storing too much data in the Session could cause scalability issues, since all that information is held in memory on the server. If you switch over to SQL storage for sessions (common in webfarm/cloud deployments), then if the session is large every request on the server will have that Session data going back and forth between the server and the DB.
  • Content that goes into the session should be Serializable, just in case you decide to move over to a different persistent storage (such as sql server)
  • Using Sessions to retain information may not go well with stateless REST/WebApi endpoints (if you need to create any in the future)
  • Excessive use of Session for storage could make unit testing slightly more difficult (you will have to mock the Session)
  • By "personal image" I assume you are storing a url or such, and not an actual binary image. Avoid storing binary content. Only return the binary image file when the browser requests it, and don't store it in memory, the browser can cache that content easily.

You might also find the references linked in this answer to be useful in providing additional information: https://stackoverflow.com/a/15878291/1373170

Community
  • 1
  • 1
Pablo Romeo
  • 11,298
  • 2
  • 30
  • 58
  • Thanks, as you say I use session["PersonalImage"] to store url not the binary image. Just for more information, is there any method to store global variables without using session[""] ? – Ahmed Shamel Dec 07 '14 at 10:32
1

The main problem with using Session and any machine depending properties is the scalability of the web site, so if you wanted to deploy your web site to a farm of servers then you can see the problem with depending on a machine state property since the request may be processed on different machines.

Hope that helps.

Omar.Alani
  • 4,050
  • 2
  • 20
  • 31
  • Moreover, in the mentioned case: it's worth mentioning that you have the option to assign a special server for saving the state only, and lets the other servers to work independently of the session states, they take it from the state server. That is to say that the State server takes the page requests first, add the state to it and then pass it over to the most free web site server along with the state. This option is fully supported by IIS and Microsoft's environments. – Jacob Dec 06 '14 at 22:33