Session in MVC.NET

Question

0.00/5 (No votes)

See more:

Hey!

I have question about security issues with session in MVC framework.
I am developing a web app and i HAVE to track users doings in this app
(what data they submit) so i need store this in session.

Getting some objects from session is not pretty since you do something like this every time:

C#

var some_object = (Session['some_key']!=null)?(some_type)Session['some_key']:{null_or_other_not_nullable_value_like-1};

In this case you have to remember session key to object and its type too.
Not nice and buggy inviting. Also you can get something from session only in controller... ouch.

So... I wrote abstract class SessionAdapter

C#

abstract class SessionAdapter
{
   public static HttpSessionState Session;
   private struct SessionKeys
   {
      public const string some_key = "some_key";
   }
   public static some_type GetSomeObject()
   {
       return (Session[SessionKeys.some_key]!=null)?some_type)Session[SessionKeys.some_key]:{null_or_other_not_nullable_value_like-1};
   }
}

Nice! But how I get a session in that class?
I write its field from Global.asax when app starts. That obvious.
So:

C#

public MvcApplication()
{
   //Add event handler
   AcquireRequestState += new EventHandler(SetSession);
}
{...}
void SetSession(object sender, EventArgs e)
{
   try
   {
       SessionAdapter.session = Session;
   }
   catch (HttpException error)
   {
       //do nothing
       //if session doesn't exist must not needed anyway
   }
}

Ouuuu beautifull!
Now i can get ANY session object ANYWHERE in my app with this global
abstract class! Yeah!

But... (Hmmm there are always buts...) Here goes my question:
What if in theory 2(or even more) users would be browsing page and, since static variable Session in SessionAdapter class is global for all users it can be overwriten when there be 2 or more request in the SAME time? They're sessions could be merge in one big, mess.
Is it big security flaw?
Situation like that will be very unlikely since 1 or 2 person will be using this app regularly, but if this solution will be as good as it's seem I prefer to reuse that in other apps.

So what u can tell me about this? Should I worried? Use that?
Solve that another way?

Posted 3-Nov-10 5:14am

n.podbielski

Add a Solution

2 solutions

Solution 1

When you add user data to the session, perhaps you could append some unique identifier (I don't mean a guid) to the key name so that you can differentiate between different user's data. It's a hack, but in my mind, so is a global static session object.

Posted 3-Nov-10 9:01am

fjdiewornncalwe

Comments

n.podbielski 3-Nov-10 19:22pm

But where store that id? There is no way for doing that. This is just walking in circles...

fjdiewornncalwe 4-Nov-10 7:29am

It has to be something associated with the user that will be constant during the session from their end. You could use their ip, logon(intranet), etc.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

n.podbielski · Accepted Answer · 2012-10-12T02:33:00

From perspective of time I can say that was bad idea.
As I was afraid, sessions of diffrent users was merged at same point I don't know why (Murphys law I think).
So I make wrapping for session access:

C#

public static CourierDaySession GetCourierDaySession(this HttpSessionStateBase session)
        {
            var return_value = session[__SessionKeys.COURIER_DAY_SESSION] as CourierDaySession;
            if (return_value == null)
            {
                return_value = new CourierDaySession();
                session.SetCourierDaySession(return_value);
            }
            return return_value;
        }

        public static void SetCourierDaySession(this HttpSessionState session, CourierDaySession courier_day_session)
        { session[__SessionKeys.COURIER_DAY_SESSION] = courier_day_session; }

{...}

HttpContext.Current.Session.GetCourierDaySession()

Everything is in one Object stored in session and DB. No concurency problem and it's persistent since stored in DB at some point.