[Mono-list] Cross-Browser Session Mixing

Jonathan Pryor jonpryor at vt.edu
Mon Jul 11 07:21:59 EDT 2005

On Mon, 2005-07-11 at 06:46 -0400, David P. Donahue wrote:
> As for using the IP address, that's entirely a matter of how .NET 
> internally maintains sessions.  All I do is create a list of session 
> variables (HttpContext.Current.Session["variableName"]) on Session_Start 
> and use those throughout the session to have certain pieces of 
> information follow the user so that each page can access that 
> information.  When I began developing .NET websites, this seemed like an 
> easy and effective way to do this.  Does anyone have a suggestion for a 
> better way?

Somewhere I found a link describing the problems with Sessions.  (It was
in the context of JSP apps, but it holds true for ASP.NET and any other
Session mechanism).  Summary: sessions kill scalability.  Why?  Because
session state must be unique, which means that all of your ASP.NET
servers need access to it, thus creating a bottleneck/single point of
failure on the Session.  For one ASP.NET server, things are great, but
as you try to scale out by adding additional servers, you increase
contention on the Session state, and things don't scale as well as you
might like.

(There are "hacks" such as HTTP redirectors which send a user to the
same server, thus allowing the use of local sessions, but if that server
goes down, *poof* goes the session state....  And isn't have > 1 server
needed for reliability?)

So what do you do without sessions?  Bundle all required data inside
each page, either in the URL (yuck) or as a set of hidden form

	<input type="hidden" name="Foo" value="Bar"/>

This doesn't work for all apps -- it depends on how much you need to
store in your pseudo-session -- but it has the added "benefit" that each
browser window has a separate session, since cookies aren't used.

 - Jon

More information about the Mono-list mailing list