Hey!
I have question about security issues with session in MVC framework.
I am developing a web app and i HAVE to track users doings in this app
(what data they submit) so i need store this in session.
Getting some objects from session is not pretty since you do something like this every time:
var some_object = (Session['some_key']!=null)?(some_type)Session['some_key']:{null_or_other_not_nullable_value_like-1};
In this case you have to remember session key to object and its type too.
Not nice and buggy inviting. Also you can get something from session only in controller... ouch.
So... I wrote abstract class SessionAdapter
abstract class SessionAdapter
{
public static HttpSessionState Session;
private struct SessionKeys
{
public const string some_key = "some_key";
}
public static some_type GetSomeObject()
{
return (Session[SessionKeys.some_key]!=null)?some_type)Session[SessionKeys.some_key]:{null_or_other_not_nullable_value_like-1};
}
}
Nice! But how I get a session in that class?
I write its field from Global.asax when app starts. That obvious.
So:
public MvcApplication()
{
AcquireRequestState += new EventHandler(SetSession);
}
{...}
void SetSession(object sender, EventArgs e)
{
try
{
SessionAdapter.session = Session;
}
catch (HttpException error)
{
}
}
Ouuuu beautifull!
Now i can get ANY session object ANYWHERE in my app with this global
abstract class! Yeah!
But... (Hmmm there are always buts...) Here goes my question:
What if in theory 2(or even more) users would be browsing page and, since static variable Session in SessionAdapter class is global for all users it can be overwriten when there be 2 or more request in the SAME time? They're sessions could be merge in one big, mess.
Is it big security flaw?
Situation like that will be very unlikely since 1 or 2 person will be using this app regularly, but if this solution will be as good as it's seem I prefer to reuse that in other apps.
So what u can tell me about this? Should I worried? Use that?
Solve that another way?