|
Best Practices - User Data & Sessions?
Hello,
I am hoping to get some guidance on the following scenerio: I have a password protected site where users have various permissions. Are sessions the best way of storing the user's id? And if so, on load of a page should I be hitting the database for their permissions (based on the session stored user id), or should everything I need be stored in session variables to save the trip to the database? I have also wondered about serializing the user object and sending it from page to page, but I have no idea as to what the 'official' or 'best' practice is for maintaining this kind of data from page to page. Any help would be greatly appreciated. |
Re: Best Practices - User Data & Sessions?
<at_the_gonq@hotmail.com> wrote in message
news:1189715457.324710.171650@y42g2000hsy.googlegr oups.com... > I am hoping to get some guidance on the following scenerio: > > I have a password protected site where users have various > permissions. Are sessions the best way of storing the user's id? And > if so, on load of a page should I be hitting the database for their > permissions (based on the session stored user id), or should > everything I need be stored in session variables to save the trip to > the database? I have also wondered about serializing the user object > and sending it from page to page, but I have no idea as to what the > 'official' or 'best' practice is for maintaining this kind of data > from page to page. > > Any help would be greatly appreciated. I don't think there is any sort of 'best practice' guidelines for this, so here's what I usually do... Application object Use for high-level lookup data which will change only very infrequently, e.g. country codes, currency codes, public holidays etc. However, this is really only sensible if the data will be used very frequently by a significant number of pages within the web app. E.g. if you have a web app with 200 pages and only one or two of those need to refer to public holidays, there's little point in caching the data in the Application object. Session object Use for lookup data which is highly unlikely to change throughout the duration of a session and which is used by many pages. As you mention, metadata about the currently logged-on user is usually a good candidate for storage in the Session object. However, I *never* pass Session data between pages - there's no point at all, as Session is available to all pages anyway... Try not to use the SessionID for any sort of reference, as it's not 100% guaranteed to be unique across all scenarios. There should be no need to use the SessionID for anything anyway, as it's not meaningful data. E.g my current SessionID is "X" but yesterday it was "Y" - so what... :-) Also, bear in mind that when you use inproc sessions, every piece of data you store in the Session object eats away at the total amount of memory... Obviously, modern webservers tend to have bags of memory anyway, but it's still something to consider... I've seen installations where the webserver had 512Mb RAM, and each user's Session was over 1Mb big - a few hundred concurrent users and the thing will grind to a halt very quickly... Finally, if you use SQL Server to persist your Session objects, the above is slightly irrelevant as you'll be hitting the database no matter what you do... This again needs a bit of planning because e.g. Session_End doesn't fire if you're not using inproc sessions... -- Mark Rae ASP.NET MVP http://www.markrae.net |
Re: Best Practices - User Data & Sessions?
Thank You! This is exactly what I was looking for :) On Sep 13, 4:51 pm, "Mark Rae [MVP]" <m...@markNOSPAMrae.net> wrote: > <at_the_g...@hotmail.com> wrote in message > > news:1189715457.324710.171650@y42g2000hsy.googlegr oups.com... > > > I am hoping to get some guidance on the following scenerio: > > > I have a password protected site where users have various > > permissions. Are sessions the best way of storing the user's id? And > > if so, on load of a page should I be hitting the database for their > > permissions (based on the session stored user id), or should > > everything I need be stored in session variables to save the trip to > > the database? I have also wondered about serializing the user object > > and sending it from page to page, but I have no idea as to what the > > 'official' or 'best' practice is for maintaining this kind of data > > from page to page. > > > Any help would be greatly appreciated. > > I don't think there is any sort of 'best practice' guidelines for this, so > here's what I usually do... > > Application object > Use for high-level lookup data which will change only very infrequently, > e.g. country codes, currency codes, public holidays etc. However, this is > really only sensible if the data will be used very frequently by a > significant number of pages within the web app. E.g. if you have a web app > with 200 pages and only one or two of those need to refer to public > holidays, there's little point in caching the data in the Application > object. > > Session object > Use for lookup data which is highly unlikely to change throughout the > duration of a session and which is used by many pages. As you mention, > metadata about the currently logged-on user is usually a good candidate for > storage in the Session object. However, I *never* pass Session data between > pages - there's no point at all, as Session is available to all pages > anyway... > > Try not to use the SessionID for any sort of reference, as it's not 100% > guaranteed to be unique across all scenarios. There should be no need to use > the SessionID for anything anyway, as it's not meaningful data. E.g my > current SessionID is "X" but yesterday it was "Y" - so what... :-) > > Also, bear in mind that when you use inproc sessions, every piece of data > you store in the Session object eats away at the total amount of memory... > Obviously, modern webservers tend to have bags of memory anyway, but it's > still something to consider... I've seen installations where the webserver > had 512Mb RAM, and each user's Session was over 1Mb big - a few hundred > concurrent users and the thing will grind to a halt very quickly... > > Finally, if you use SQL Server to persist your Session objects, the above is > slightly irrelevant as you'll be hitting the database no matter what you > do... This again needs a bit of planning because e.g. Session_End doesn't > fire if you're not using inproc sessions... > > -- > Mark Rae > ASP.NET MVPhttp://www.markrae.net |
Re: Best Practices - User Data & Sessions?
On Thu, 13 Sep 2007 13:30:57 -0700, at_the_gonq@hotmail.com wrote:
>Hello, > >I am hoping to get some guidance on the following scenerio: > >I have a password protected site where users have various >permissions. Are sessions the best way of storing the user's id? Are you using forms authentification? I rely on the UserData property of the FormsAuthentificationTicket; and I rewrite the tickets (to the cookie) at the start of each new session; after having confirmed the user roles from the database (at the start of the session - in the AuthenticateRequest event.) >And if so, on load of a page should I be hitting the database for their >permissions (based on the session stored user id), or should >everything I need be stored in session variables to save the trip to >the database? You only need to hit the database for user information at the start of a session; but there is a SqlRoleProvider, should you want it. >I have also wondered about serializing the user object >and sending it from page to page, but I have no idea as to what the >'official' or 'best' practice is for maintaining this kind of data >from page to page. > >Any help would be greatly appreciated. You probably don't need to specifically serialize any user objects. But you can have custom user objects if you want and these can then be managed as per the default. Lookup "Role Manager", IPrincipal, RolePrincipal class, GenericPrincipal and AuthenticateRequest. <http://www.codeproject.com/aspnet/formsroleauth.asp> <http://www.codeproject.com/aspnet/aspnet2security.asp> Stefan Schackow has an entire book available called "Professional ASP.NET 2.0 Security, Membership, and Role Management"; which is an amazing 608 pages! Hard to figure why it needed to be so large; but it is pretty comprehensive; but not incredibly practical from a cook-book point of view. It's hard to recommend this book; the index is not very good and what use is a reference book without a very good index? |
| All times are GMT. The time now is 09:26 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.