<at*********@hotmail.comwrote in message
news:11**********************@y42g2000hsy.googlegr oups.com...
I am hoping to get some guidance on the following scenerio:
I have a password protected site where users have various
permissions. Are sessions the best way of storing the user's id? And
if so, on load of a page should I be hitting the database for their
permissions (based on the session stored user id), or should
everything I need be stored in session variables to save the trip to
the database? I have also wondered about serializing the user object
and sending it from page to page, but I have no idea as to what the
'official' or 'best' practice is for maintaining this kind of data
from page to page.
Any help would be greatly appreciated.
I don't think there is any sort of 'best practice' guidelines for this, so
here's what I usually do...
Application object
Use for high-level lookup data which will change only very infrequently,
e.g. country codes, currency codes, public holidays etc. However, this is
really only sensible if the data will be used very frequently by a
significant number of pages within the web app. E.g. if you have a web app
with 200 pages and only one or two of those need to refer to public
holidays, there's little point in caching the data in the Application
object.
Session object
Use for lookup data which is highly unlikely to change throughout the
duration of a session and which is used by many pages. As you mention,
metadata about the currently logged-on user is usually a good candidate for
storage in the Session object. However, I *never* pass Session data between
pages - there's no point at all, as Session is available to all pages
anyway...
Try not to use the SessionID for any sort of reference, as it's not 100%
guaranteed to be unique across all scenarios. There should be no need to use
the SessionID for anything anyway, as it's not meaningful data. E.g my
current SessionID is "X" but yesterday it was "Y" - so what... :-)
Also, bear in mind that when you use inproc sessions, every piece of data
you store in the Session object eats away at the total amount of memory...
Obviously, modern webservers tend to have bags of memory anyway, but it's
still something to consider... I've seen installations where the webserver
had 512Mb RAM, and each user's Session was over 1Mb big - a few hundred
concurrent users and the thing will grind to a halt very quickly...
Finally, if you use SQL Server to persist your Session objects, the above is
slightly irrelevant as you'll be hitting the database no matter what you
do... This again needs a bit of planning because e.g. Session_End doesn't
fire if you're not using inproc sessions...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net