Re: Going sessionless (and cookie limitations)

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi, Jon.

re:
I just got hired by a company that told me their web site is sessionless to cut down on the
overhead of using SQL Server or a state server to host session state information.

Ask them whether they prefer a bit of overhead...or a safe server.

Print out, or point them to, this article by Dino Esposito:
http://msdn.microsoft.com/asp.net/default.aspx?pull=/library/en-us/dnaspp/html/cookieless.asp

Really, using State Server doesn't qualify as a lot of "overhead",
considering what State Server does for a web farm.

SQL Server might be overhead (considering what it costs)
but State Server is free, and doesn't require gobs of server resources.

Read the article/download the code by Jeff Prosise. It's a security eye-opener:
http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/default.aspx
His SecureSessionModule foils most session hijacking attempts.




Juan T. Llibre, asp.net MVP
aspnetfaq.com : http://www.aspnetfaq.com/
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
===================================
"Jon Davis" <jon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OQskaJZ1GHA.2036@xxxxxxxxxxxxxxxxxxxxxxx
Does anyone know of a best practices or common practices article URL for implementing a
sessionless web farm while still managing user logins, etc.?

I just got hired by a company that told me their web site is sessionless to cut down on the
overhead of using SQL Server or a state server to host session state information. I've been
scratching my head to try to figure out what the ramifications are, and what methodologies could
be used to retain common functionality such as user login support without imposing a security
risk.

I'm assuming cookies are used for the entire "session" but then my question becomes what
limitations still exist for cookies? Don't they support only a very, VERY small name/value size
and a very small record count?

Jon



.

Relevant Pages

  • Re: Session Timeout Problem
    ... Juan T. Llibre, asp.net MVP ... and select the Application Pool in which your app runs. ... You don't say whether you tried using State Server. ... the loss of session variables due to Application/App Pool recycling. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Saving DataTable to session vs saving a Custom object.
    ... that is when a state server or a ... SQL Server is being used to maintain state. ... SQL Server in order to retrieve the previously saved session ... My rationale is because the DataTable, like I said, serializes as a ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Session Timeout Problem
    ... You don't say whether you tried using State Server. ... the loss of session variables due to Application/App Pool recycling. ...
    (microsoft.public.dotnet.framework.aspnet)
  • ASP.NET High memory usage
    ... We also grouped low level sites into 2 application pool. ... The main object is kept in session, and we also have some more tiny ... How can we measure the total session memory consumption for a worker ... Will it help us to have a session state server & web gardening? ...
    (microsoft.public.dotnet.framework.performance)
  • Re: asp.net Session vs Database Queries
    ... In our application we are using asp.net tree view to display hierarchical data and when user clicks on particular node it brings up totally different page with all the asp.net controls dynamically generated. ... OR Should all the data be accessed initially loaded into Session Variable before building Tree View and when user access Node Student 2, just get it from Session Variable. ... You can use SQL Server as a state server, which you set that up through the Web.config, you set up SQL server to be a state server with the .Net Utility that does configuration. ...
    (microsoft.public.dotnet.languages.csharp)