What kinds of data should never be kept in a session?
+2
A:
This link can also be useful: ASP.NET 2.0 Performance Inspection Questions - Session State
Rubens Farias
2010-02-02 01:03:03
+2
A:
This answer is for PHP Sessions.
If you mean $_SESSION, well it is stored on the hard drive, so it is not immediately available in anything like the cookies.
However, on a shared host, it can sometimes be trivial to access session files from other websites.
I would not store anything in the session you wouldn't want anyone else on your shared host to see.
alex
2010-02-02 01:03:21
+7
A:
I really wish it was clearer what kind of session you mean. Depending on the answer, I can come up with a couple:
- Passwords of any sort
- Large amounts of data, especially 4 GB+ on a 32-bit OS (guaranteed out of memory if it has to be loaded into RAM)
- Executable code
- Raw SQL
- Swear words
- Things likely to get government agencies angry ("Free Tibet" in China, threats to the president in the US)
- Your bank account PIN or credit card number
- A rabid badger. Actually, ANY kind of badger.
BobMcGee
2010-02-02 01:13:15
+1 for reminder of how dangerous badgers can be inside a web server
yodaj007
2010-02-02 02:02:37
@yoda: you only need to get hit by a single badger injection exploit before you learn to sanitize and thoroughly pulverize your input. Also to carry a heavy flashlight when investigating usual noises in the server room.
BobMcGee
2010-02-02 02:17:31
Badgers? Badgers?!? We don't need no stinkin' badgers!
Jesse Weigert
2010-02-02 02:42:46
+1 for Swear words.
fastcodejava
2010-02-02 03:03:20
A:
You can store anything in Session as long as you keep the SessionMode="InProc" in the web.config. This stores any session data in the web server's memory in a user specific context.
However, if you want to scale up one day and run your web app in a farm, you will have to use another SessionMode. Then you can't any longer store objects of complex types that are not serializable (unfortunately, dictionaries are a common candidate) and you will have to change your design.
herzmeister der welten
2010-02-02 01:26:52
Multiple GB of data *might* pose a problem in this case. Especially if on a 32-bit webserver (theoretically possible).
BobMcGee
2010-02-02 02:18:45
The 2nd paragraph is why I *always* use `<sessionState mode="StateServer" ... />` - I'll get an error as soon as I try and store a non-serializable object.
devstuff
2010-02-02 03:16:24
A:
- DataSets: Serialising a dataset to store in session can take up an order of magnitude more memory than the dataset itself (i.e. a 1MB dataset can need 20MB to serialise/deserialise, and it does that on every request).
- Controls: Storing controls (and their collections) in session means that ASP.NET can't clean them up properly at the end of the page request, leading to memory leaks.
See Tess Ferrandez's blog for other examples of things you should never put in session, along with reasons why.
Zhaph - Ben Duguid
2010-02-02 01:59:57
+1
A:
This can be a pretty subjective question. Anything that's serializable can be stored in session, technically. But there are definitely scenarios where you don't want to add things to session. Complex objects, objects that have large collections as properties, etc. All these things are serialized into byte arrays and kept in memory (for InProc Session State) and then deserialized when needed in code again. The more complex the object, the more resource intensive it can get to go back and forth.
Depending on how many users you have, you may wish to limit the number of items that go into session and perhaps use ViewState or other means of persistence. If it's truly something meant for multiple pages, then it's probably a good candidate for session. If it's only used in a page or two, then ViewState, QueryString, etc. may be better.
Chris Conway
2010-02-02 02:01:07
A:
Stock tips, pirated CDs, full-length movies (except "Clerks", that movie was awesome), analog information, ...
This question seems kind of vague -- I can think of countless kinds of information that shouldn't be stored in the session!
Ken
2010-02-02 02:55:23
+2
A:
If possible, store nothing in the Session. It is an unreliable way to maintain state, especially if you need to move to a web farm. Also, I believe it encourages poor design. HTTP is stateless, and web sites should be designed in a way where you assume that for any request, you could be starting over from scratch.
Jacob
2010-02-02 03:00:40
I agree with Jacob. If your requests are stateless, it makes the site much easier to test.
0sumgain
2010-02-02 03:18:26
@Chris, even for user sessions, you cannot rely on them 100%. At any point, a node in the farm could be removed, thereby wiping out any in-memory sessions stored there. You can, of course, store sessions in a database, but you'd might as well use real tables with a defined schema at that point.
Jacob
2010-02-02 03:25:58