Static methods in a class - okay in this situation?

Question

Hey all - I have an app where I'm authenticating the user. They pass username and password. I pass the username and password to a class that has a static method. For example it'm calling a method with the signature below:

public class Security
{
public static bool Security.Member_Authenticate (string username, string password) 
{ //do stuff}
}

If I have 1000 people hitting this at once, will I have any problems with the returns of the method bleeding into others? I mean, since the methods are static, will there be issues with the a person getting authenticated when in fact they shouldn't be but the person before them was successfully authenticated ASP.Net returns a mismatched result due to the method being static? I've read of issues with static properties vs viewstate but am a bit confused on static methods. If this is a bad way of doing this,what's the prefered way?

Answer 1

This will not happen. When a method is Static (or Shared in VB.NET), then you're safe as long as the method doesn't rely on anything other than the inputs to figure something out. As long as you're not modifying any public variables or objects from anywhere else, you're fine.

Answer 2

A static method is just fine as long as it is not using any of persistent data between successive calls. I am guessing that your method simply runs a query on the database and returns true/false based on that.

In this scenario, I think the static method should work without a problem, regardless of how many calls you make to it.

Answer 3

ASP.net does use all sorts of under-the-hood thread pooling, which can make static methods and fields dicey.

However, you can avoid most threading issues with a static method by using only locally-scoped variables in that method. That way, each thread (user) will have their own in-memory copy of all the variables being used.

If you use higher-scoped variables, make sure to make all access to them thread-conscious.

Answer 4

Maybe it's better to use public static void Authenticate(string, string) which throws an exception if something goes wrong (return false in original method) ?

This is a good .NET style. Boolean function return-type is the C style and is obsolete.

Answer 5

Throwing exceptions is not a good practice as it makes the .net runtime to create extra infrastructure for catching them. To verify this create a class and and populate it with some random values using a loop. Make the loop iterate for a large counter like 10,000. Record the time it takes to create the list. Now enclose the instance creation in a try..catch block and record the time. Now, you can see the exceptionally large difference.

e.g

for(int i=0; i<10000; i++){
     Employee emp = new Employee();
     emp.Name = "Random Name" + i.ToString();
}

Versus

for(int i=0; i<10000; i++){
     try{
          Employee emp = new Employee();
          emp.Name = "Random Name" + i.ToString();
     }catch{}
}

Although there is no fixed solution whether to throw exception or not, it is a best practice to create alternate flows in your program and handle every condition with proper return values. Exceptions should be thrown only when the situation can be justified as exceptional.

Answer 6

While I can see the value of the static method in regards to the perceived performance gains, I believe the real issue here is whether the gains (and risks) are worth the maintenance kludge and security weakness you are potentially creating. I believe that most people would warn you away from providing a public method that accepts an user credentials and returns success or failure. It potentially provides an easy a method for hacking.

So, my point is philosophical. Otherwise, I agree with others who have pointed out that restricting the code to use local variables should ensure that you do not have any problems with side effects due to concurrent access of the method, even on different threads, i.e., if you invoke the method on a ThreadPool thread.

Answer 7

Why don't you have the user class with username and password and a method that is called authenticate?