473,326 Members | 2,126 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Going sessionless (and cookie limitations)

Does anyone know of a best practices or common practices article URL for
implementing a sessionless web farm while still managing user logins, etc.?

I just got hired by a company that told me their web site is sessionless to
cut down on the overhead of using SQL Server or a state server to host
session state information. I've been scratching my head to try to figure out
what the ramifications are, and what methodologies could be used to retain
common functionality such as user login support without imposing a security
risk.

I'm assuming cookies are used for the entire "session" but then my question
becomes what limitations still exist for cookies? Don't they support only a
very, VERY small name/value size and a very small record count?

Jon
Sep 11 '06 #1
5 3620
I don't believe cookies are limited to miniscule data.
In the same respect i wouldn't keep large datasets in there either.
Rather use a unique user id that can retrieve info from the database.

Regarding security just ensure your cookie is properly encrypted,
and expires in a timely manner.

HTH

"Jon Davis" <jo*@REMOVE.ME.PLEASE.jondavis.netwrote in message
news:OQ**************@TK2MSFTNGP05.phx.gbl...
Does anyone know of a best practices or common practices article URL for
implementing a sessionless web farm while still managing user logins,
etc.?

I just got hired by a company that told me their web site is sessionless
to cut down on the overhead of using SQL Server or a state server to host
session state information. I've been scratching my head to try to figure
out what the ramifications are, and what methodologies could be used to
retain common functionality such as user login support without imposing a
security risk.

I'm assuming cookies are used for the entire "session" but then my
question becomes what limitations still exist for cookies? Don't they
support only a very, VERY small name/value size and a very small record
count?

Jon

Sep 11 '06 #2
I think you end up spending a great deal more time in solving the
cookieless problem than you would if you use a load balancer which
maintained sticky sessions.

The sticky sessions will ensure the same web user reaches the same
server in the web farm so the reconnect with the same session. You
will not have to deal with additional database load because your
sessions are local to each machine in the web farm, not shared with a
central database.

Most decent load balancer hardware supports sticky sessions.

After attempting force ASP.NET applications like survive in a
cookieless mode, I learned it is best to avoid it whenever possible.

Brennan Stehling
http://brennan.offwhite.net/blog/

Jon Davis wrote:
Does anyone know of a best practices or common practices article URL for
implementing a sessionless web farm while still managing user logins, etc.?

I just got hired by a company that told me their web site is sessionless to
cut down on the overhead of using SQL Server or a state server to host
session state information. I've been scratching my head to try to figure out
what the ramifications are, and what methodologies could be used to retain
common functionality such as user login support without imposing a security
risk.

I'm assuming cookies are used for the entire "session" but then my question
becomes what limitations still exist for cookies? Don't they support only a
very, VERY small name/value size and a very small record count?

Jon
Sep 11 '06 #3
Hi, Jon.

re:
I just got hired by a company that told me their web site is sessionless to cut down on the
overhead of using SQL Server or a state server to host session state information.
Ask them whether they prefer a bit of overhead...or a safe server.

Print out, or point them to, this article by Dino Esposito:
http://msdn.microsoft.com/asp.net/de...cookieless.asp

Really, using State Server doesn't qualify as a lot of "overhead",
considering what State Server does for a web farm.

SQL Server might be overhead (considering what it costs)
but State Server is free, and doesn't require gobs of server resources.

Read the article/download the code by Jeff Prosise. It's a security eye-opener:
http://msdn.microsoft.com/msdnmag/is...e/default.aspx
His SecureSessionModule foils most session hijacking attempts.


Juan T. Llibre, asp.net MVP
aspnetfaq.com : http://www.aspnetfaq.com/
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
===================================
"Jon Davis" <jo*@REMOVE.ME.PLEASE.jondavis.netwrote in message
news:OQ**************@TK2MSFTNGP05.phx.gbl...
Does anyone know of a best practices or common practices article URL for implementing a
sessionless web farm while still managing user logins, etc.?

I just got hired by a company that told me their web site is sessionless to cut down on the
overhead of using SQL Server or a state server to host session state information. I've been
scratching my head to try to figure out what the ramifications are, and what methodologies could
be used to retain common functionality such as user login support without imposing a security
risk.

I'm assuming cookies are used for the entire "session" but then my question becomes what
limitations still exist for cookies? Don't they support only a very, VERY small name/value size
and a very small record count?

Jon

Sep 11 '06 #4
Thank you, Juan, for providing links to articles which is what I asked for.

Guys, one question and concern that remains is that it was explained to me
that the benefit of using cookies to host all session information rather
than using the ASP.NET session object to store state information was to
eliminate the traffic going from the web servers to the state server or SQL
Server. Is it just me or is this conclusion littered with fallacies? Don't
all cookies get sent with every web page hit--indeed, with every HTTP
request for every object on the same host/domain, including images and
scripts? Doesn't that mean that a cookie-based solution imposes the same
network hit, only instead of spawning network overhead behind the firewall
on the LAN, you're imposing the network overhead on each HTTP request over
the Internet, multiplied by the number of objects loaded from the same
host/domain?

So in other words, couldn't the bandwidth issue on the server side be
alleviated by purchasing some 10GB/s Ethernet cards and a 10GB switch? Then
as far as memory is concerned, why not just install a 64-bit operating
system on 64-bit hardware with, say, 16GB of RAM or more, and multiple Xeon
multi-core processors?

There is just so much one takes for granted in a Session-based server
environment, I'm not sure what the caveats are, but more so I'm not sure
what the point was.

- Jon
"Juan T. Llibre" <no***********@nowhere.comwrote in message
news:Op**************@TK2MSFTNGP02.phx.gbl...
Hi, Jon.

re:
>I just got hired by a company that told me their web site is sessionless
to cut down on the overhead of using SQL Server or a state server to host
session state information.

Ask them whether they prefer a bit of overhead...or a safe server.

Print out, or point them to, this article by Dino Esposito:
http://msdn.microsoft.com/asp.net/de...cookieless.asp

Really, using State Server doesn't qualify as a lot of "overhead",
considering what State Server does for a web farm.

SQL Server might be overhead (considering what it costs)
but State Server is free, and doesn't require gobs of server resources.

Read the article/download the code by Jeff Prosise. It's a security
eye-opener:
http://msdn.microsoft.com/msdnmag/is...e/default.aspx
His SecureSessionModule foils most session hijacking attempts.


Juan T. Llibre, asp.net MVP
aspnetfaq.com : http://www.aspnetfaq.com/
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
===================================
"Jon Davis" <jo*@REMOVE.ME.PLEASE.jondavis.netwrote in message
news:OQ**************@TK2MSFTNGP05.phx.gbl...
>Does anyone know of a best practices or common practices article URL for
implementing a sessionless web farm while still managing user logins,
etc.?

I just got hired by a company that told me their web site is sessionless
to cut down on the overhead of using SQL Server or a state server to host
session state information. I've been scratching my head to try to figure
out what the ramifications are, and what methodologies could be used to
retain common functionality such as user login support without imposing a
security risk.

I'm assuming cookies are used for the entire "session" but then my
question becomes what limitations still exist for cookies? Don't they
support only a very, VERY small name/value size and a very small record
count?

Jon


Sep 13 '06 #5
Thus wrote Jon,
Thank you, Juan, for providing links to articles which is what I asked
for.

Guys, one question and concern that remains is that it was explained
to me that the benefit of using cookies to host all session
information rather than using the ASP.NET session object to store
state information was to eliminate the traffic going from the web
servers to the state server or SQL Server. Is it just me or is this
conclusion littered with fallacies? Don't all cookies get sent with
every web page hit--indeed, with every HTTP request for every object
on the same host/domain, including images and scripts? Doesn't that
mean that a cookie-based solution imposes the same network hit, only
instead of spawning network overhead behind the firewall on the LAN,
you're imposing the network overhead on each HTTP request over the
Internet, multiplied by the number of objects loaded from the same
host/domain?
No, you're confusing spending extra bandwidth (for cookies) with adding another
network hit in your LAN.

Cookies are just part of your usual request/response exchange and simply
inflate a request's or response's size by up to 4 kB per cookie. Accessing
a state server means leaving process boundaries, hitting the network, marshalling
data, etc. A normal page that uses session state will actually access the
database *twice* -- to acquire session state and write it back after processing.
If you're setting the EnableSessionState attribute in a page directive to
readonly or false, you can reduce or eliminate these extra hits on the state
server, but of course this limits your access to session state in such a
page as well.

Cheers,
--
Joerg Jooss
ne********@joergjooss.de
Sep 19 '06 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Ajay | last post by:
hi! i am printing a simple cookie, but instead of printing um=name:blah&access:admin&exp:2312390.909 its printing um="name:blah&access:admin&exp:2312390.909" why the quotes?
3
by: Ben Amada | last post by:
Every time a user visits a particular page, I'm using the code below to add a cookie that expires in 1 day. My question is, a user may visit this page a few times within one day. Before adding...
3
by: Rod | last post by:
In Dino Esposito's book, "Programming Microsoft ASP.NET", there is a chapter titled, "ASP.NET State Management". There is a section in there discussing session state sometimes going away. He...
3
by: mike | last post by:
Hello. I have a web site that is using Basic Authentication (yes, I am using HTTPS) and is sessionless (I am maintaining session state in a database via a custom component). When the user...
1
by: windandwaves | last post by:
Hi I have the following file: --myfile.php <?php if($s) { echo $s; session_id($s); session_start;
4
by: D. | last post by:
Hi, I defined some cookies in order to pass values between pages in my application. The problem is that when i request them with: cookie = Request.Cookies("mycookie") x = cookie.Value (suppose...
2
by: rn5a | last post by:
A web.config file has the following code: <configuration> <system.web> <authentication mode="Forms"> <forms name="NETConnectCookie" loginUrl="Login.aspx"> <credentials passwordFormat="SHA1"/>...
2
by: kelly.pearson | last post by:
Is this a bug? I am trying to write a cookie that can be accessed by various .Net applications on our domain. However, whenever I add the domain property to the cookie, no errors get thrown but...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.