What's Wrong With Sessions?

  • Thread starter Thread starter senfo
  • Start date Start date
S

senfo

I've had multiple people tell me that I should avoid using session
variables, wherever possible and suggesting using cookies and context
instead; however, nobody has been able to give me an explanation as to
why. I'm aware of the issue when using kernel cache in IIS 6.0
(http://support.microsoft.com/kb/917072), however, I'm not using output
cache right now.

I greatly prefer session variables to cookies for security reasons, so
this is really bothersome. Can somebody please offer some insight?

Thank you in advance,
 
All session variables are stored in RAM, but using session variables is OK.

The only thing to watch for is that you don't overload your server's
memory resources by loading memory intensive data into session variables.

i.e., if you load a 5MB dataset into a session variable ( an extreme example )
and you have 1,000 visitors to your website before your default session timeout
expires, don't be too surprised if you have server memory exhaustion problems.

Otherwise, go ahead and use them without worry.

Just make sure that the total RAM used by the session variables
doesn't exceed a reasonably low percentage of your server's memory resources.

If you do, your server will recycle the application's process at the configured memory limit.

Even then, you can cushion yourself if you use SQL Server
or State Server to store your session data.




Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
===================================
 
I've had multiple people tell me that I should avoid using session
variables, wherever possible and suggesting using cookies
Click to expand...

Well, I would disagree completely and suggest you should NEVER use cookies
unless you absolutely have to...
I greatly prefer session variables to cookies for security reasons, so
this is really bothersome. Can somebody please offer some insight?
Click to expand...

I can't really add anything to Juan's reply, other than to say that I agree
with it...
 
I agree with Juan. The worste side-effect is running out of memory and
having the application recycle, which basically amounts to a restart in
appearance. This can be a giant pain as there's a delay during the recycle
process that may be noticeable.

If you do need to use SessonState, you can improve the performance of the
app by disabling it on pages that don't need it. This was also true in
classic ASP.
 
senfo said:
I've had multiple people tell me that I should avoid using session
variables, wherever possible and suggesting using cookies and context
instead; however, nobody has been able to give me an explanation as to
why. I'm aware of the issue when using kernel cache in IIS 6.0
(http://support.microsoft.com/kb/917072), however, I'm not using output
cache right now.

I greatly prefer session variables to cookies for security reasons, so
this is really bothersome. Can somebody please offer some insight?
Click to expand...

Thank you all very much for the replies. That helped to set my mind at
ease.

Just to add for future reference, I did learn about one possible
side-affect, which occurs when you're storing session variables on a
state server (this is obviously because ASP.NET has to read/write at
least once on every postback), however, the overhead can be circumvented
by, as Mark Fitzpatrick mentions, disabling session variables on pages
that don't require them. This can be done using the EnableSessionState
attribute (e.g., <%@ Page EnableSessionState="false" %>).

Reference:
http://msdn.microsoft.com/msdnmag/issues/06/07/WebAppFollies/default.aspx#S5

Thank you again,
 
Back
Top