Re: Session State vs. What?

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 07/21/05

• Next message: Dominick Baier [DevelopMentor]: "Re: asp.net login contol using url redirect"
• Previous message: Dominick Baier [DevelopMentor]: "Re: forms authentication cookie changes"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Session State vs. What?"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Session State vs. What?"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: Session State vs. What?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 21 Jul 2005 10:06:18 -0700

Hello Joe,

the thing is that you don't have session state in AuthenticateRequest - the
SessionStateModule runs after FormsAuthentication...so you could use Session
but have to find a way to work around that.

I personally don't like Session because it is slow (2-3 round trips per page
to the session store and you should only enable it on pages where you need
it, or set it to read only) and there is often a lot of confusion about timeouts,
especially when combined with FormsAuth.

I would use the cache, and program defensively and just check everytime for
an invalidated cache.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> In this case, you can use Session state (still works in .NET and has
> more options such as out of process) or the Cache.
>
> The cache has the advantage of being very fast. The idea with the
> cache is that you only use it for cacheable data that can be
> regenerated if it is not in the cache. You would not use it for
> critical data that the user has input as part of an ongoing process or
> something.
>
> So in your case, you might generate an IPrincipal for the user on
> their initial login and then put it in the cache. On subsequent
> logins, you would determine their identity and try to retrieve the
> IPrincipal from the cache based on the user name. If it is in the
> cache, then you just use it, if not, you regenerate it from your data
> source, add it back to the cache and use it.
>
> You could also do this with session state just as well, but you
> probably don't have to in this case unless there is data in this
> object that you really need for the whole session that can only be
> generated on the initial login or something.
>
> Those are my thoughts,
>
> Joe K.
>
> "David Lozzi" <dlozzi@(removethis)delphi-ts.com> wrote in message
> news:%23Z1RGPgjFHA.1464@TK2MSFTNGP14.phx.gbl...
>
>> Howdy,
>>
>> I just learned how to use Forms Authentication. yeah me! However, it
>> is quite limited as to how much information you can store and
>> retrieve from it. For example, in my past ASP and ASP.NET
>> applications I have used the session state to store a user's IS,
>> Fullname, security level, email and some other minor items. How is
>> that to be done without Session state?
>>
>> Here is one possible scenario I thought of: with the Forms Auth.
>> having the username, query the SQL database everytime a page is
>> loaded (or whenever necessary) to pull the user's information as
>> necessary. The bad side to this is that there will be 'unnecessary'
>> traffic on almost every page. Currently, for example, I do something
>> like so: If session("SecurityLevel") < 8 then
>> response.redirect("home.aspx"). Simple enough. With this scenario, I
>> would have to query the database first then return the security
>> level. More work for the server, no?
>>
>> Is there another way? Or is session state the best solution? I
>> remember reading a few posts that stated using the session state was
>> not a desired function due to overhead on the server, or something
>> like that. I can imagine the server would work harder querying the
>> database for a single number over storing a number in the session
>> state.
>>
>> I am trying to find the best solution moving forward, assuming
>> Session State is not it. I appreciate all of your input!
>>
>> David Lozzi
>>

• Next message: Dominick Baier [DevelopMentor]: "Re: asp.net login contol using url redirect"
• Previous message: Dominick Baier [DevelopMentor]: "Re: forms authentication cookie changes"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Session State vs. What?"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Session State vs. What?"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: Session State vs. What?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: caching: Session state or Application state... ... > 1) When is memory used for Session State freed? ... > - if my cache item expires due to it reaching it's expiration time - is ... the type of cahcing and the expiration policy can see ... (microsoft.public.dotnet.framework.aspnet) Re: Session State vs. What? ... you can use Session state (still works in .NET and has more ... The cache has the advantage of being very fast. ... I would have to query the database first then ... > function due to overhead on the server, ... (microsoft.public.dotnet.framework.aspnet.security) Re: DataAdapter update ... Among these, if you dont want to use session state, you can probably use ... Application or Cache. ... You might be able to use ViewState too but you will need to test to make ... It> seems easier to just update each row in the DataList than go through the> process of only updating modified rows. ... (microsoft.public.dotnet.framework.aspnet) Re: 3rd party application, cache and session state ... that the app uses cache (with sql server 2000) and Session States. ... Session State Boolean 3 ... Session State String 6 ... (microsoft.public.dotnet.framework.aspnet) Re: Question about objects in Cache ... By any chance are you using out of processes session state ... >always being pulled from cache because the new defaults are not present ... The instance in the .aspx form is ... (microsoft.public.dotnet.framework.aspnet)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint