Is there a different between session -with mode sqlServer- and Profile ? and who gives us best performance ?
Of course that there is a difference: SQLServer SessionState mode means that everything you put in the ASP.NET Session (not only user profile data) will get serialized and persisted in a SQL Server database, whereas the Profile could be persisted wherever you configure it to. There are out-of-the-box profile providers that persist the information in SQL Server. Definitely go with a profile. Don't use ASP.NET Sessions at all. The best ASP.NET SessionState mode is the following:
<sessionState mode="Off" />
I'd recommend you to always use it. It will make your web application stateless, the way they should be.
Related
I was wondering if in ASP.NET MVC5 are the session's identifiers Protected by default ? ( like example are the session IDs are not recoverable via JavaScript or any other browser scripts?)
Also ,does the server side offer security concerning the storage of information?
I was wondering if those features comes by default in the MV5 asp.net framework , or should I implement my own security measures
Because if we read the MSDN
inProc mode, which stores session state in memory on the Web server. This is the default.
StateServer mode, which stores session state in a separate process called the ASP.NET state service. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.
But the real question is , are they encrypted by default?
thank you
All session data in the MVC frameworks are stored on server side . By means , if you want to secure them .Try encrypting them locally so once they get transferred to the server they remain secured more details are explained here :
https://msdn.microsoft.com/en-us/library/ms178586.aspx
Can ASP.NET applications in a common application pool share session information if they are in separate threads in a single worker process? One of my applications is having issues related to not having any of the session information it needs from the other application, but I used Trace.axd to confirm that requests to each application are using the same session identifier.
I resolved the issues we were experiencing by making our applications "cookieless".
I updated the web.config file for the applications as follows:
<!--sessionState mode="InProc" cookieless="false" timeout="30" /-->
<sessionState mode="InProc" cookieless="true" timeout="30" />
If anyone can explain why this works, I would appreciate the education.
Thank you to all who offered suggestions.
ASP.NET session is scoped "within" application if using out-of-the-box session providers, so each application will have its own session even if the session id/key value appears to be the same. But since the requests to each application are using the same session identifier value, you appear to be well set to implement a custom SessionStateStoreProvider that can store/retrieve data using this identifier across both applications.
You could also have a look at Sharing sessions across applications using the ASP.NET Session State Service, but since this approach involves modifying the workings of the stock SQL session store provider, you'd risk spillover effects on other sites/applications.
I thik it could be helpfull Sharing Aspnet Session across different domains there's no other way.
you cannot share a session between different domain.
there's another solution that could be pass all data via querystring to the other domain so it can rebuild the right session values.
Personally i will invite you to use encrypted value to be sure that are not visibile if you will choose GET option.
I am creating a simple web management studio using SMO. Is it secure enough to persist/store user information (login and password for database) using ASP.NET mechanism (e.g. formsauthentication, cookies, etc.).
What will be the best practice to do this?
thanks
Yes it is very secure but you must consider this:
User requireSSL = true
cookieless = false
enableCrossAppRedirects=false
httpOnlyCookies="true"
also for the role manager do not cache the roles in cookie
<roleManager enabled="true" cacheRolesInCookie="false">
non "out of the box" system is 100% what you looking for, and you maybe need to think what other extra messure you need to take for make it even more secure.
Also you can open the database and see what informtions is stored on it, to see if are meet your requirements. The password is not saved, but the salt of it, so you can not read it, and it save is the email/name of your user.
Some extra reference
http://msdn.microsoft.com/en-us/library/ff650037.aspx
http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx
http://msdn.microsoft.com/en-us/library/ms972969.aspx
http://msdn.microsoft.com/en-us/magazine/cc163807.aspx
I'm going to ask a user to login first, then when I'm going to save information I'm going to have to save the information and associate it with the logged in user.
How should I handle this with session?
Why not use the ASP.NET Membership toolkit that's already integrated into ASP.NET? (well, integrated sorta)
You could just use Response.Cookies http://msdn.microsoft.com/en-us/library/78c837bd.aspx
By default, Session uses memory storage on the server, and identifies the data using an identifier cookie.
You could optionally store everything in cookies, which is particularly useful if you have more than one web server. However, you shouldn't store sensitive data there.
Web.Config for InProc session:
<configuration>
<sessionstate mode="inproc" cookieless="false" timeout="20"/>
</configuration>
VB for using session
Session("Key") = value
If you're only looking to store the UserName, I suggest using the ASP.NET Membership (https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx). It will automagically take care of your authentication and give you access to a user's Identity whenever they send a request to the server.
I have my default website in IIS7 bound to an ASP.NET application. This application is using the ASP.NET State Server to store session data. I would like to add an additional ASP.NET MVC application to this website. Is it possible to share the session between these two applications using the state server? I've read that there are ways to do it storing session data in SQL Server, but I can't find any documentation on doing it with the state server.
Thanks,
Nathan
Best advice I have to to switch to SQL Server for the session state store. It's not difficult to set up if you already have SQL Available and use the following technique:
Sharing sessions across applications using the ASP.NET Session State Service
For this situation you are probably best to write your own custom session state provider that runs on a SQL database.
details are here:
http://msdn.microsoft.com/en-us/library/aa479034.aspx
the reason i'd write a custom provider is because simply settings up an SQL session provider will not be enough as the applications will use different session keys and therefore will not share state between them. by writing your own session provider you can have fine grained control over the whole process and therefore override the checks in place using the default sql session provider.