By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,257 Members | 925 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,257 IT Pros & Developers. It's quick & easy.

Warning - AVOID SESSION VARIABLES

P: n/a
Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This cannot
be prevented.

This means that if you change the value of a session variable in the second
window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for the
wrong customer. I found that this occured when they opened a second browser
using Ctrl-N, changed the customer in the new window, and then returned to
the first window to add an order. They didn't realize that the customer
displayed in the first window was no longer consistent with the customer ID
stored in the shared CustomerID session variable.


Oct 19 '06 #1
Share this Question
Share on Google+
26 Replies


P: n/a
This is a long known issue. If a new browser is pulled from the old browser,
both have the same name, which means they share session. You can prevent
this by checking user input and ensuring you are dealing with the same
record. It is more a practices problem than a session problem.

On the other hand, I agree that you should keep page specific stuff in the
page. ViewState is a good option here.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com

*************************************************
Think outside of the box!
*************************************************
"BillE" <be****@datamti.comwrote in message
news:Oo**************@TK2MSFTNGP02.phx.gbl...
Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This
cannot be prevented.

This means that if you change the value of a session variable in the
second window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for the
wrong customer. I found that this occured when they opened a second
browser using Ctrl-N, changed the customer in the new window, and then
returned to the first window to add an order. They didn't realize that
the customer displayed in the first window was no longer consistent with
the customer ID stored in the shared CustomerID session variable.


Oct 19 '06 #2

P: n/a
"Cowboy (Gregory A. Beamer)" <No************@comcast.netNoSpamMwrote in
message news:ei****************@TK2MSFTNGP05.phx.gbl...
On the other hand, I agree that you should keep page specific stuff in the
page. ViewState is a good option here.
That's just common sense, surely...?
Oct 19 '06 #3

P: n/a
I think that the only way to ensure you are dealing with the same record is
to avoid session variables.

For example, if you are using Master pages, as far as I can tell, this means
that a customer ID must be passed by query string for GET requests, and by
hidden fields for POST requests when a new child page is being called.

Is this an accurate statement?

Thanks
-Bill
"Cowboy (Gregory A. Beamer)" <No************@comcast.netNoSpamMwrote in
message news:ei****************@TK2MSFTNGP05.phx.gbl...
This is a long known issue. If a new browser is pulled from the old
browser, both have the same name, which means they share session. You can
prevent this by checking user input and ensuring you are dealing with the
same record. It is more a practices problem than a session problem.

On the other hand, I agree that you should keep page specific stuff in the
page. ViewState is a good option here.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com

*************************************************
Think outside of the box!
*************************************************
"BillE" <be****@datamti.comwrote in message
news:Oo**************@TK2MSFTNGP02.phx.gbl...
>Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This
cannot be prevented.

This means that if you change the value of a session variable in the
second window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for
the wrong customer. I found that this occured when they opened a second
browser using Ctrl-N, changed the customer in the new window, and then
returned to the first window to add an order. They didn't realize that
the customer displayed in the first window was no longer consistent with
the customer ID stored in the shared CustomerID session variable.



Oct 19 '06 #4

P: n/a
"BillE" <be****@datamti.comwrote in message
news:%2******************@TK2MSFTNGP03.phx.gbl...
For example, if you are using Master pages, as far as I can tell, this
means that a customer ID must be passed by query string for GET requests,
and by hidden fields for POST requests when a new child page is being
called.

Is this an accurate statement?
Not im my experience - I use ViewState all the time within ContentPages...
Oct 19 '06 #5

P: n/a
Do your content pages initially receive parameters from query strings or
hidden fields?

"Mark Rae" <ma**@markNOSPAMrae.comwrote in message
news:er**************@TK2MSFTNGP04.phx.gbl...
"BillE" <be****@datamti.comwrote in message
news:%2******************@TK2MSFTNGP03.phx.gbl...
>For example, if you are using Master pages, as far as I can tell, this
means that a customer ID must be passed by query string for GET requests,
and by hidden fields for POST requests when a new child page is being
called.

Is this an accurate statement?

Not im my experience - I use ViewState all the time within ContentPages...

Oct 19 '06 #6

P: n/a
"BillE" <be****@datamti.comwrote in message
news:ul**************@TK2MSFTNGP04.phx.gbl...
Do your content pages initially receive parameters from query strings or
hidden fields?
Neither - they most often receive them from a Session variable which is read
and destroyed on Page_Load, surrounded by if (!IsPostBack). If the user
tries to open the page directly either by typing the URL into the address
bar directly or clicking File, New, that Session variable won't be there, so
the process will not continue. Instead, the user will be redirected to an
error page telling them not to do what they tried to do...
Oct 19 '06 #7

P: n/a
Good solution. Thanks!

"Mark Rae" <ma**@markNOSPAMrae.comwrote in message
news:e2*************@TK2MSFTNGP05.phx.gbl...
"BillE" <be****@datamti.comwrote in message
news:ul**************@TK2MSFTNGP04.phx.gbl...
>Do your content pages initially receive parameters from query strings or
hidden fields?

Neither - they most often receive them from a Session variable which is
read and destroyed on Page_Load, surrounded by if (!IsPostBack). If the
user tries to open the page directly either by typing the URL into the
address bar directly or clicking File, New, that Session variable won't be
there, so the process will not continue. Instead, the user will be
redirected to an error page telling them not to do what they tried to
do...

Oct 19 '06 #8

P: n/a
Your concern is valid, but this isn't really a problem with session
variables. It's more a question of where you should store different kind
of state.

Session variables are suitable for values that remain the same
throughout the session, like the id of the logged in user. The id of the
customer that you are currently viewing is something that should follow
the page rather than the session.

If you would store session specific data in an application variable,
that would of course be a problem if there ever is more than one session
active at the same time. In the same way, if you store page specific
data in a session variable, there is a problem if one user has more than
one page open at the same time.
BillE wrote:
Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This cannot
be prevented.

This means that if you change the value of a session variable in the second
window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for the
wrong customer. I found that this occured when they opened a second browser
using Ctrl-N, changed the customer in the new window, and then returned to
the first window to add an order. They didn't realize that the customer
displayed in the first window was no longer consistent with the customer ID
stored in the shared CustomerID session variable.

Oct 19 '06 #9

P: n/a
Well put.

Unfortunately, I suspect there are many developers who use the convenience
of session variables to persist values (like Customer ID) without realizing
that a user will eventually compromise the application with a simple action
like Ctrl-N.

The only time I see this risk mentioned is in posts in newsgroups and forums
from distressed and perplexed developers!

Thanks
Bill
"Göran Andersson" <gu***@guffa.comwrote in message
news:Of****************@TK2MSFTNGP03.phx.gbl...
Your concern is valid, but this isn't really a problem with session
variables. It's more a question of where you should store different kind
of state.

Session variables are suitable for values that remain the same throughout
the session, like the id of the logged in user. The id of the customer
that you are currently viewing is something that should follow the page
rather than the session.

If you would store session specific data in an application variable, that
would of course be a problem if there ever is more than one session active
at the same time. In the same way, if you store page specific data in a
session variable, there is a problem if one user has more than one page
open at the same time.
BillE wrote:
>Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This
cannot be prevented.

This means that if you change the value of a session variable in the
second window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for
the wrong customer. I found that this occured when they opened a second
browser using Ctrl-N, changed the customer in the new window, and then
returned to the first window to add an order. They didn't realize that
the customer displayed in the first window was no longer consistent with
the customer ID stored in the shared CustomerID session variable.


Oct 19 '06 #10

P: n/a
Just because session variables are bad to use in certain situations does not
mean that they are always bad. Just like virtually every development
technique, there are trade offs that should be carefully weighed before
deciding the course on which to embark.

When I first saw the title of your post I thought you were going to rave
about what a problem session variables can be when it comes to scalability,
but you didn't even mention that.

Despite such issues, its hard to deny what a convenient development time
saver session variables can be.

--
I hope this helps,
Steve C. Orr
MCSD, MVP, CSM
http://SteveOrr.net
"BillE" <be****@datamti.comwrote in message
news:Oo**************@TK2MSFTNGP02.phx.gbl...
Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This
cannot be prevented.

This means that if you change the value of a session variable in the
second window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for the
wrong customer. I found that this occured when they opened a second
browser using Ctrl-N, changed the customer in the new window, and then
returned to the first window to add an order. They didn't realize that
the customer displayed in the first window was no longer consistent with
the customer ID stored in the shared CustomerID session variable.


Oct 19 '06 #11

P: n/a
Unfortunately, I suspect there are many developers who use the convenience
of session variables to persist values (like Customer ID) without
realizing that a user will eventually compromise the application with a
simple action like Ctrl-N.
I can really hear from this sentence that you really expected a(ny) session
to be unique.
In fact from beginning NO browser window is unique, that's http/tcp, no
window is unique.

You can only mess with html to try it to make unique.
But you should always bear in mind that one can have multiple windows open
and that you'll (possibly) not be able to distinguish them.. ever..

Messing wiht hidden controls/viewstate.. o well it's static but an unique
value injected..?
Saving the html and open it again also loads any previous ID you managed, so
that fails as well.

"BillE" <be****@datamti.comschreef in bericht
news:%2****************@TK2MSFTNGP05.phx.gbl...
Well put.

Unfortunately, I suspect there are many developers who use the convenience
of session variables to persist values (like Customer ID) without
realizing that a user will eventually compromise the application with a
simple action like Ctrl-N.

The only time I see this risk mentioned is in posts in newsgroups and
forums from distressed and perplexed developers!

Thanks
Bill
"Göran Andersson" <gu***@guffa.comwrote in message
news:Of****************@TK2MSFTNGP03.phx.gbl...
>Your concern is valid, but this isn't really a problem with session
variables. It's more a question of where you should store different kind
of state.

Session variables are suitable for values that remain the same throughout
the session, like the id of the logged in user. The id of the customer
that you are currently viewing is something that should follow the page
rather than the session.

If you would store session specific data in an application variable, that
would of course be a problem if there ever is more than one session
active at the same time. In the same way, if you store page specific data
in a session variable, there is a problem if one user has more than one
page open at the same time.
BillE wrote:
>>Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This
cannot be prevented.

This means that if you change the value of a session variable in the
second window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for
the wrong customer. I found that this occured when they opened a second
browser using Ctrl-N, changed the customer in the new window, and then
returned to the first window to add an order. They didn't realize that
the customer displayed in the first window was no longer consistent with
the customer ID stored in the shared CustomerID session variable.



Oct 20 '06 #12

P: n/a
dgk
On Thu, 19 Oct 2006 17:01:21 +0100, "Mark Rae"
<ma**@markNOSPAMrae.comwrote:
>"BillE" <be****@datamti.comwrote in message
news:ul**************@TK2MSFTNGP04.phx.gbl...
>Do your content pages initially receive parameters from query strings or
hidden fields?

Neither - they most often receive them from a Session variable which is read
and destroyed on Page_Load, surrounded by if (!IsPostBack). If the user
tries to open the page directly either by typing the URL into the address
bar directly or clicking File, New, that Session variable won't be there, so
the process will not continue. Instead, the user will be redirected to an
error page telling them not to do what they tried to do...
I'm still waiting for the Microsoft Electroshock Feedback Keyboard.
Oct 20 '06 #13

P: n/a
dgk
On Thu, 19 Oct 2006 15:49:08 -0700, "Steve C. Orr [MVP, MCSD]"
<St***@Orr.netwrote:
>Just because session variables are bad to use in certain situations does not
mean that they are always bad. Just like virtually every development
technique, there are trade offs that should be carefully weighed before
deciding the course on which to embark.

When I first saw the title of your post I thought you were going to rave
about what a problem session variables can be when it comes to scalability,
but you didn't even mention that.

Despite such issues, its hard to deny what a convenient development time
saver session variables can be.
I'm new to ASP.NET development so I appreciate the whole thread, and
the one it descended from. I didn't realize that folks open up new
browser windows that share the session state so I will code for that.

How does IE7's tabbed windows (and Firefox) work - do those share the
session or start a new one?
Oct 20 '06 #14

P: n/a
dgk-

You are the intended audience for my post.

Thanks
Bill

"dgk" <dg*@somewhere.comwrote in message
news:6l********************************@4ax.com...
On Thu, 19 Oct 2006 15:49:08 -0700, "Steve C. Orr [MVP, MCSD]"
<St***@Orr.netwrote:
>>Just because session variables are bad to use in certain situations does
not
mean that they are always bad. Just like virtually every development
technique, there are trade offs that should be carefully weighed before
deciding the course on which to embark.

When I first saw the title of your post I thought you were going to rave
about what a problem session variables can be when it comes to
scalability,
but you didn't even mention that.

Despite such issues, its hard to deny what a convenient development time
saver session variables can be.

I'm new to ASP.NET development so I appreciate the whole thread, and
the one it descended from. I didn't realize that folks open up new
browser windows that share the session state so I will code for that.

How does IE7's tabbed windows (and Firefox) work - do those share the
session or start a new one?

Oct 20 '06 #15

P: n/a
The VS 2005 documentation clearly warns about performance issues in ASP.NET
State Management Recommendations (Disadvantage of Using Session State), so I
don't need to rave about it.

I agree with you on every point - I just want novice developers to know
about the trade-offs! How are they to know? This behavior is not mentioned
in any documentation I can find.

Thanks!
Bill
"Steve C. Orr [MVP, MCSD]" <St***@Orr.netwrote in message
news:uV**************@TK2MSFTNGP05.phx.gbl...
Just because session variables are bad to use in certain situations does
not mean that they are always bad. Just like virtually every development
technique, there are trade offs that should be carefully weighed before
deciding the course on which to embark.

When I first saw the title of your post I thought you were going to rave
about what a problem session variables can be when it comes to
scalability, but you didn't even mention that.

Despite such issues, its hard to deny what a convenient development time
saver session variables can be.

--
I hope this helps,
Steve C. Orr
MCSD, MVP, CSM
http://SteveOrr.net
"BillE" <be****@datamti.comwrote in message
news:Oo**************@TK2MSFTNGP02.phx.gbl...
>Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This
cannot be prevented.

This means that if you change the value of a session variable in the
second window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for
the wrong customer. I found that this occured when they opened a second
browser using Ctrl-N, changed the customer in the new window, and then
returned to the first window to add an order. They didn't realize that
the customer displayed in the first window was no longer consistent with
the customer ID stored in the shared CustomerID session variable.



Oct 20 '06 #16

P: n/a
Hi Edwin -

I will reiterate that I have no objection to any behavior of ASP, IE, or
Session State.

My point is to alert developers to this potential pitfall. This will
inevitably occur if session variables are not used very carefully. When it
occurs, it will go possibly go undetected until significant damage has been
done.

Thanks
-Bill

"Edwin Knoppert" <ne**@hellobasic.comwrote in message
news:45**********************@text.nova.planet.nl. ..
>Unfortunately, I suspect there are many developers who use the
convenience of session variables to persist values (like Customer ID)
without realizing that a user will eventually compromise the application
with a simple action like Ctrl-N.

I can really hear from this sentence that you really expected a(ny)
session to be unique.
In fact from beginning NO browser window is unique, that's http/tcp, no
window is unique.

You can only mess with html to try it to make unique.
But you should always bear in mind that one can have multiple windows open
and that you'll (possibly) not be able to distinguish them.. ever..

Messing wiht hidden controls/viewstate.. o well it's static but an unique
value injected..?
Saving the html and open it again also loads any previous ID you managed,
so that fails as well.

"BillE" <be****@datamti.comschreef in bericht
news:%2****************@TK2MSFTNGP05.phx.gbl...
>Well put.

Unfortunately, I suspect there are many developers who use the
convenience of session variables to persist values (like Customer ID)
without realizing that a user will eventually compromise the application
with a simple action like Ctrl-N.

The only time I see this risk mentioned is in posts in newsgroups and
forums from distressed and perplexed developers!

Thanks
Bill
"Göran Andersson" <gu***@guffa.comwrote in message
news:Of****************@TK2MSFTNGP03.phx.gbl...
>>Your concern is valid, but this isn't really a problem with session
variables. It's more a question of where you should store different kind
of state.

Session variables are suitable for values that remain the same
throughout the session, like the id of the logged in user. The id of the
customer that you are currently viewing is something that should follow
the page rather than the session.

If you would store session specific data in an application variable,
that would of course be a problem if there ever is more than one session
active at the same time. In the same way, if you store page specific
data in a session variable, there is a problem if one user has more than
one page open at the same time.
BillE wrote:
Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields,
querystring, etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This
cannot be prevented.

This means that if you change the value of a session variable in the
second window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized
and compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for
the wrong customer. I found that this occured when they opened a
second browser using Ctrl-N, changed the customer in the new window,
and then returned to the first window to add an order. They didn't
realize that the customer displayed in the first window was no longer
consistent with the customer ID stored in the shared CustomerID session
variable.




Oct 20 '06 #17

P: n/a
I believe the same behavior will occur in IE7 tabbed windows and in Firefox.

-Bill

"dgk" <dg*@somewhere.comwrote in message
news:6l********************************@4ax.com...
On Thu, 19 Oct 2006 15:49:08 -0700, "Steve C. Orr [MVP, MCSD]"
<St***@Orr.netwrote:
>>Just because session variables are bad to use in certain situations does
not
mean that they are always bad. Just like virtually every development
technique, there are trade offs that should be carefully weighed before
deciding the course on which to embark.

When I first saw the title of your post I thought you were going to rave
about what a problem session variables can be when it comes to
scalability,
but you didn't even mention that.

Despite such issues, its hard to deny what a convenient development time
saver session variables can be.

I'm new to ASP.NET development so I appreciate the whole thread, and
the one it descended from. I didn't realize that folks open up new
browser windows that share the session state so I will code for that.

How does IE7's tabbed windows (and Firefox) work - do those share the
session or start a new one?

Oct 20 '06 #18

P: n/a
On Thu, 19 Oct 2006 10:15:00 -0400, "BillE" <be****@datamti.com>
wrote:
>Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.
OK....
>This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This cannot
be prevented.
Yep...
>This means that if you change the value of a session variable in the second
window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.
There are many different things can replace 'session variables' in the
sentence above.
>I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for the
wrong customer. I found that this occured when they opened a second browser
using Ctrl-N, changed the customer in the new window, and then returned to
the first window to add an order. They didn't realize that the customer
displayed in the first window was no longer consistent with the customer ID
stored in the shared CustomerID session variable.
Walk through the way you and the user think it should work and try to
figure how the road should fork when a second, third, fourth, ...
browser is opened. How does the server reconcile the existence of the
new client? How are authentication tickets to be handled? Is the new
client data co-joined to the original client's data or is a completely
different entity considered? When a user logs out does the logout
encompass all open browsers or just the one instance? Keep asking
questions and the additional complexity starts to resemble Hydra.

That the user "didn't realize" how things work suggests training
issues. It always helps to know how computers work. There may be
design and implementation issues as well.

regards
A.G.

Oct 20 '06 #19

P: n/a
The primary issue was that the developer didn't know that Ctrl-N opened a
new window which shared the same session variables as the parent window, and
didn't code to allow for this.
"Registered User" <n4***@ix.netcom.comwrote in message
news:pv********************************@4ax.com...
On Thu, 19 Oct 2006 10:15:00 -0400, "BillE" <be****@datamti.com>
wrote:
>>Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.
OK....
>>This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This
cannot
be prevented.
Yep...
>>This means that if you change the value of a session variable in the
second
window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.
There are many different things can replace 'session variables' in the
sentence above.
>>I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for the
wrong customer. I found that this occured when they opened a second
browser
using Ctrl-N, changed the customer in the new window, and then returned to
the first window to add an order. They didn't realize that the customer
displayed in the first window was no longer consistent with the customer
ID
stored in the shared CustomerID session variable.
Walk through the way you and the user think it should work and try to
figure how the road should fork when a second, third, fourth, ...
browser is opened. How does the server reconcile the existence of the
new client? How are authentication tickets to be handled? Is the new
client data co-joined to the original client's data or is a completely
different entity considered? When a user logs out does the logout
encompass all open browsers or just the one instance? Keep asking
questions and the additional complexity starts to resemble Hydra.

That the user "didn't realize" how things work suggests training
issues. It always helps to know how computers work. There may be
design and implementation issues as well.

regards
A.G.

Oct 20 '06 #20

P: n/a
I agree with you on every point - I just want novice developers to know
about the trade-offs! How are they to know? This behavior is not
mentioned in any documentation I can find.
I admire your desire to see the community benefit from an understanding of
issues that may cause a web application to misbehave, or cause a security
risk. However, it is important to understand a couple of things about this:

1. A web application is, by nature, a complex and tricky application to
develop, and this is not due to .Net technology, but due to a number of
environmental factors that have existed on the WWW since long before there
*was* a .Net platform. These include the HTTP protocol, its stateless
nature, a lack of standards in user agent technology which resulted in a
large variety of user agents that behave differently in different ways, a
lack of an HTML standard, various versions of HTML, a poorly-architected
HTML standard, and a variety of extensions for HTML, such as JavaScript
(various versions) and CSS (various versions), which were also adopted in
different ways by browser and user agent vendors. Thankfully, standards are
emerging and improving rapidly, but legacy software and technology will
remain for years to come.

2. How Session cookies are handled by different user agents is only one of
many issues that a developer will encounter in web application development,
due to the issues mentioned in point 1. Dealing with the vagaries of
different user agents, how these user agents are custom-configured by the
users, different flavors of HTML, the stateless nature of HTTP, resultant
security issues, and network issues, such as dropped packets, are all issues
that contribute to the difficulty in writing solid web applications. In
other words, Session State is a very small part of the problem.

3. It is not the responsibility of Microsoft to document all of these
pre-existing non-Microsoft technologies, the various browser types (other
than Internet Explorer), web servers, and so on. It is the responsibility of
the developer to learn and understand them. Yes, this is a gargantuan task,
but if one wants to play the game, one has 2 choices: learn the game, or
lose the game.

--
HTH,

Kevin Spencer
Microsoft MVP
Short Order Coder
http://unclechutney.blogspot.com

What You Seek Is What You Get

"BillE" <be****@datamti.comwrote in message
news:O1**************@TK2MSFTNGP03.phx.gbl...
The VS 2005 documentation clearly warns about performance issues in
ASP.NET State Management Recommendations (Disadvantage of Using Session
State), so I don't need to rave about it.

I agree with you on every point - I just want novice developers to know
about the trade-offs! How are they to know? This behavior is not
mentioned in any documentation I can find.

Thanks!
Bill
"Steve C. Orr [MVP, MCSD]" <St***@Orr.netwrote in message
news:uV**************@TK2MSFTNGP05.phx.gbl...
>Just because session variables are bad to use in certain situations does
not mean that they are always bad. Just like virtually every development
technique, there are trade offs that should be carefully weighed before
deciding the course on which to embark.

When I first saw the title of your post I thought you were going to rave
about what a problem session variables can be when it comes to
scalability, but you didn't even mention that.

Despite such issues, its hard to deny what a convenient development time
saver session variables can be.

--
I hope this helps,
Steve C. Orr
MCSD, MVP, CSM
http://SteveOrr.net
"BillE" <be****@datamti.comwrote in message
news:Oo**************@TK2MSFTNGP02.phx.gbl...
>>Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This
cannot be prevented.

This means that if you change the value of a session variable in the
second window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized and
compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for
the wrong customer. I found that this occured when they opened a second
browser using Ctrl-N, changed the customer in the new window, and then
returned to the first window to add an order. They didn't realize that
the customer displayed in the first window was no longer consistent with
the customer ID stored in the shared CustomerID session variable.




Oct 20 '06 #21

P: n/a
Between them, I think the VS documentation and MSDN do an admirable job of
addressing most, if not all, of the points you mention! Certainly HTML
issues are described fully. CSS, JavaScript, security issues, network
issues are all described.

Better documentation of this behavior of IE with respect to session
variables should also be included.

Thanks
Bill


"Kevin Spencer" <sp**@uce.govwrote in message
news:uK**************@TK2MSFTNGP03.phx.gbl...
>I agree with you on every point - I just want novice developers to know
about the trade-offs! How are they to know? This behavior is not
mentioned in any documentation I can find.

I admire your desire to see the community benefit from an understanding of
issues that may cause a web application to misbehave, or cause a security
risk. However, it is important to understand a couple of things about
this:

1. A web application is, by nature, a complex and tricky application to
develop, and this is not due to .Net technology, but due to a number of
environmental factors that have existed on the WWW since long before there
*was* a .Net platform. These include the HTTP protocol, its stateless
nature, a lack of standards in user agent technology which resulted in a
large variety of user agents that behave differently in different ways, a
lack of an HTML standard, various versions of HTML, a poorly-architected
HTML standard, and a variety of extensions for HTML, such as JavaScript
(various versions) and CSS (various versions), which were also adopted in
different ways by browser and user agent vendors. Thankfully, standards
are emerging and improving rapidly, but legacy software and technology
will remain for years to come.

2. How Session cookies are handled by different user agents is only one of
many issues that a developer will encounter in web application
development, due to the issues mentioned in point 1. Dealing with the
vagaries of different user agents, how these user agents are
custom-configured by the users, different flavors of HTML, the stateless
nature of HTTP, resultant security issues, and network issues, such as
dropped packets, are all issues that contribute to the difficulty in
writing solid web applications. In other words, Session State is a very
small part of the problem.

3. It is not the responsibility of Microsoft to document all of these
pre-existing non-Microsoft technologies, the various browser types (other
than Internet Explorer), web servers, and so on. It is the responsibility
of the developer to learn and understand them. Yes, this is a gargantuan
task, but if one wants to play the game, one has 2 choices: learn the
game, or lose the game.

--
HTH,

Kevin Spencer
Microsoft MVP
Short Order Coder
http://unclechutney.blogspot.com

What You Seek Is What You Get

"BillE" <be****@datamti.comwrote in message
news:O1**************@TK2MSFTNGP03.phx.gbl...
>The VS 2005 documentation clearly warns about performance issues in
ASP.NET State Management Recommendations (Disadvantage of Using Session
State), so I don't need to rave about it.

I agree with you on every point - I just want novice developers to know
about the trade-offs! How are they to know? This behavior is not
mentioned in any documentation I can find.

Thanks!
Bill
"Steve C. Orr [MVP, MCSD]" <St***@Orr.netwrote in message
news:uV**************@TK2MSFTNGP05.phx.gbl...
>>Just because session variables are bad to use in certain situations does
not mean that they are always bad. Just like virtually every
development technique, there are trade offs that should be carefully
weighed before deciding the course on which to embark.

When I first saw the title of your post I thought you were going to rave
about what a problem session variables can be when it comes to
scalability, but you didn't even mention that.

Despite such issues, its hard to deny what a convenient development time
saver session variables can be.

--
I hope this helps,
Steve C. Orr
MCSD, MVP, CSM
http://SteveOrr.net
"BillE" <be****@datamti.comwrote in message
news:Oo**************@TK2MSFTNGP02.phx.gbl...
Some ASP.NET applications use Session Variables extensively to maintain
state.

These should be re-written to use viewstate, hidden fields,
querystring, etc. instead.

This is because if a user opens a new IE window with Ctrl-N or
File-New-Window, BOTH WINDOWS SHARE THE SAME SESSION VARIABLES. This
cannot be prevented.

This means that if you change the value of a session variable in the
second window, it is also changed in the first window.

Session variables should only be used if this behavior is recognized
and compensated for.

I inherited a VB6 web class application which uses session variables
extensively. Users told me that sometimes orders were being added for
the wrong customer. I found that this occured when they opened a
second browser using Ctrl-N, changed the customer in the new window,
and then returned to the first window to add an order. They didn't
realize that the customer displayed in the first window was no longer
consistent with the customer ID stored in the shared CustomerID session
variable.






Oct 20 '06 #22

P: n/a
Hi,

BillE wrote:
The primary issue was that the developer didn't know that Ctrl-N opened a
new window which shared the same session variables as the parent window, and
didn't code to allow for this.
I am really surprised that a developer didn't know that. It's a common
behaviour. After all, all browsers react the same, if you press Ctrl-N
in Firefox, you also get a new window in the same session.

IE is special only because it allows starting more than one process,
each of them with a different session ID (if you select the Internet
Explorer icon twice in the Start menu, for example, you start two
instances of IEXPLORE.EXE, which can easily be seen in the task
manager). Firefox doesn't react the same: It allows only one instance of
the process. So actually, the thing you should warn against is not that
two IE windows share the same session ID, but rather that in some cases,
they don't ;-)

I want to add that I recommend using the ViewState with a lot of care,
because if you don't use it carefully, you send a lot of unuseful
information back and forth on every postback. We had cases where an
uncarefully used ViewState was many KB long, which was unbearable for
our users with a modem connection. Disabling the ViewState on a control
should IMHO be the very first thing a developer does when he adds the
control to the page, and then the ViewState should be enabled on demand
only.

Every technology has drawbacks.

Greetings,
Laurent
--
Laurent Bugnion, GalaSoft
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch
Oct 20 '06 #23

P: n/a
Bonjour, Laurent

I think you would be surprised at the number of developers who don't know
that.

Google on "asp.net session variables ctrl+N". Lots of panicky posts and
helpful responses (and some smug responses too).

If you didn't know you needed to manage 'ctrl+N', how would you find out?

-Bill
"Laurent Bugnion" <ga*********@bluewin.chwrote in message
news:eX**************@TK2MSFTNGP03.phx.gbl...
Hi,

BillE wrote:
>The primary issue was that the developer didn't know that Ctrl-N opened a
new window which shared the same session variables as the parent window,
and didn't code to allow for this.

I am really surprised that a developer didn't know that. It's a common
behaviour. After all, all browsers react the same, if you press Ctrl-N in
Firefox, you also get a new window in the same session.

IE is special only because it allows starting more than one process, each
of them with a different session ID (if you select the Internet Explorer
icon twice in the Start menu, for example, you start two instances of
IEXPLORE.EXE, which can easily be seen in the task manager). Firefox
doesn't react the same: It allows only one instance of the process. So
actually, the thing you should warn against is not that two IE windows
share the same session ID, but rather that in some cases, they don't ;-)

I want to add that I recommend using the ViewState with a lot of care,
because if you don't use it carefully, you send a lot of unuseful
information back and forth on every postback. We had cases where an
uncarefully used ViewState was many KB long, which was unbearable for our
users with a modem connection. Disabling the ViewState on a control should
IMHO be the very first thing a developer does when he adds the control to
the page, and then the ViewState should be enabled on demand only.

Every technology has drawbacks.

Greetings,
Laurent
--
Laurent Bugnion, GalaSoft
Software engineering: http://www.galasoft-LB.ch
PhotoAlbum: http://www.galasoft-LB.ch/pictures
Support children in Calcutta: http://www.calcutta-espoir.ch

Oct 20 '06 #24

P: n/a
dgk wrote:
On Thu, 19 Oct 2006 15:49:08 -0700, "Steve C. Orr [MVP, MCSD]"
<St***@Orr.netwrote:
>Just because session variables are bad to use in certain situations does not
mean that they are always bad. Just like virtually every development
technique, there are trade offs that should be carefully weighed before
deciding the course on which to embark.

When I first saw the title of your post I thought you were going to rave
about what a problem session variables can be when it comes to scalability,
but you didn't even mention that.

Despite such issues, its hard to deny what a convenient development time
saver session variables can be.

I'm new to ASP.NET development so I appreciate the whole thread, and
the one it descended from. I didn't realize that folks open up new
browser windows that share the session state so I will code for that.

How does IE7's tabbed windows (and Firefox) work - do those share the
session or start a new one?
Tabbed windows are always windows in the same instance of the browser,
so they will always share the same session.

The only time the windows doesn't share the same session is if they are
in separate instances of the browser, i.e. when you start a new browser
from the start menu (or similar).

Firefox only has one instance open ever. If you try to start a new
instance, a new window in the current instance is created instead, so
all windows in firefox share the same session.
Oct 21 '06 #25

P: n/a
dgk
On Sat, 21 Oct 2006 05:25:58 +0200, Göran Andersson <gu***@guffa.com>
wrote:

>
Firefox only has one instance open ever. If you try to start a new
instance, a new window in the current instance is created instead, so
all windows in firefox share the same session.
That seems like a real weakness to me. I would like the option (now
that I know it exists, that is).
Oct 23 '06 #26

P: n/a
It's not too hard to manage this, though (although not as easy as just
populating the session variables and leaving them).

I use the solution Mark Rae mentioned -- populate the session variable when
a page is being opened, and then retrieve the session variable, stash the
value in viewstate or a hidden field, and destroy the session variable.

This also prevents inconsistent data from users using the back button.
"dgk" <dg*@somewhere.comwrote in message
news:ij********************************@4ax.com...
On Sat, 21 Oct 2006 05:25:58 +0200, Göran Andersson <gu***@guffa.com>
wrote:

>>
Firefox only has one instance open ever. If you try to start a new
instance, a new window in the current instance is created instead, so
all windows in firefox share the same session.

That seems like a real weakness to me. I would like the option (now
that I know it exists, that is).

Oct 23 '06 #27

This discussion thread is closed

Replies have been disabled for this discussion.