Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Store session info in ASP.Net Cookie or Session State?

I need to store some session related data for a user. This data does not need to be encrypted but I want to ensure the user cannot modify it. I think my options are to store it into a hidden field, store it into a cookie, or store it in ASP.Net session state. I need the solution to be server farm safe.

If its stored in a cookie or hidden field then I need a way to ensure a user can't modify it.

What do you think is the best approach for this sort of data?

like image 736
w.donahue Avatar asked Jan 17 '12 08:01

w.donahue


People also ask

Is session stored in cookie?

The server creates a “session ID” which is a randomly generated number that temporarily stores the session cookie. This cookie stores information such as the user's input and tracks the movements of the user within the website. There is no other information stored in the session cookie.

Is session better than cookie?

Sessions are more secured compared to cookies, as they save data in encrypted form. Cookies are not secure, as data is stored in a text file, and if any unauthorized user gets access to our system, he can temper the data.

Where is session data stored in ASP.NET by default?

The In-Proc mode of storage of session data is the default mode and it is also the fastest of all the available storage modes. In this mode, the session data is stored in the server's memory -- inside the ASP.Net worker process.

What is the difference between ASP session state and ASP.NET session state?

That is, Asp session state is dependent on IIS process very heavily. So if IIS restarts Asp session variables are also recycled. Whereas In Asp.Net, the session is process independent . That is, Asp.Net session can be independent of the hosting environment thus Asp.Net session can maintained even if IIS reboots.


2 Answers

First question I ask myself about session data: I really need them? Remember that web is stateless so maybe you can re-engineering your application to not use session state. Sessions requires a lot of management and server resources.

Meanwhile you have two solutions:

  • because you are in a farm put your session on SQL Server configuring session state in web.config (it requires resources and it's a bit slower but is the safest way to store session data to ensure the user cannot modify it)

  • add an encryption/decryption mechanism to your cookie with a private server key

like image 65
Be.St. Avatar answered Oct 20 '22 00:10

Be.St.


A user is always able to modify cookies, because it is client-side storage. You need to store the data server-side.

ASP.NET Session State is an acceptable solution for your problem, although there are some caveats regarding server farms. This MSDN article explains how to make Session State work for your server farm environment. Be.St.'s answer touches on the suggested out-of-process approach.

A third alternative is to create a database driven session storage that does not necessarily depend on Session state. I find Session State to be a bit of a hassle with different deployment environments (e.g. server farms), so I will sometimes use this approach. You can then access this data by attaching a session key to the querystring or storing the session key in the cookie (still potentially modifiable by the user, but less likely to be a target for such action).

like image 22
smartcaveman Avatar answered Oct 20 '22 00:10

smartcaveman