Click here to Skip to main content
15,669,524 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:

I have question about security issues with session in MVC framework.
I am developing a web app and i HAVE to track users doings in this app
(what data they submit) so i need store this in session.

Getting some objects from session is not pretty since you do something like this every time:

var some_object = (Session['some_key']!=null)?(some_type)Session['some_key']:{null_or_other_not_nullable_value_like-1};

In this case you have to remember session key to object and its type too.
Not nice and buggy inviting. Also you can get something from session only in controller... ouch.

So... I wrote abstract class SessionAdapter

abstract class SessionAdapter
   public static HttpSessionState Session;
   private struct SessionKeys
      public const string some_key = "some_key";
   public static some_type GetSomeObject()
       return (Session[SessionKeys.some_key]!=null)?some_type)Session[SessionKeys.some_key]:{null_or_other_not_nullable_value_like-1};

Nice! But how I get a session in that class?
I write its field from Global.asax when app starts. That obvious.

public MvcApplication()
   //Add event handler
   AcquireRequestState += new EventHandler(SetSession);
void SetSession(object sender, EventArgs e)
       SessionAdapter.session = Session;
   catch (HttpException error)
       //do nothing
       //if session doesn't exist must not needed anyway

Ouuuu beautifull!
Now i can get ANY session object ANYWHERE in my app with this global
abstract class! Yeah!

But... (Hmmm there are always buts...) Here goes my question:
What if in theory 2(or even more) users would be browsing page and, since static variable Session in SessionAdapter class is global for all users it can be overwriten when there be 2 or more request in the SAME time? They're sessions could be merge in one big, mess.
Is it big security flaw?
Situation like that will be very unlikely since 1 or 2 person will be using this app regularly, but if this solution will be as good as it's seem I prefer to reuse that in other apps.

So what u can tell me about this? Should I worried? Use that?
Solve that another way?

When you add user data to the session, perhaps you could append some unique identifier (I don't mean a guid) to the key name so that you can differentiate between different user's data. It's a hack, but in my mind, so is a global static session object.
Share this answer
n.podbielski 3-Nov-10 19:22pm    
But where store that id? There is no way for doing that. This is just walking in circles...
fjdiewornncalwe 4-Nov-10 7:29am    
It has to be something associated with the user that will be constant during the session from their end. You could use their ip, logon(intranet), etc.
From perspective of time I can say that was bad idea.
As I was afraid, sessions of diffrent users was merged at same point I don't know why (Murphys law I think).
So I make wrapping for session access:

public static CourierDaySession GetCourierDaySession(this HttpSessionStateBase session)
            var return_value = session[__SessionKeys.COURIER_DAY_SESSION] as CourierDaySession;
            if (return_value == null)
                return_value = new CourierDaySession();
            return return_value;

        public static void SetCourierDaySession(this HttpSessionState session, CourierDaySession courier_day_session)
        { session[__SessionKeys.COURIER_DAY_SESSION] = courier_day_session; }



Everything is in one Object stored in session and DB. No concurency problem and it's persistent since stored in DB at some point.
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900