Library tutorials & articles
When Session Variables Go Bad
- Introduction
- The Implementation Details
- Tying Up Loose Ends
- Cap'n. The Resources. They Canna Take It!
- Down on the Web Farm
- Summary
Cap'n. The Resources. They Canna Take It!
Forgetting about the threading issues, there are a number of less esoteric issues that impact the use of Session variables. The strain on server memory can get quite high, depending on the usage of your web site.
As we mentioned earlier, Session variables are implemented as a collection. Actually, as a collection of Variants. This means that for every session, you not only have the data being stored, but also the implementation of the Add, Remote, Item and Count methods, as well as the IEnum interface. Then, since it is a collection of variants, the collection also needs to implement the IEnumVariant interface. Finally, the values in the collection are tied together using a linked list. So if you add even a small piece of data to the session variables, the memory usage might seem way out of whack.
Now in the connectionless world of HTTP, there is no way for the application
to know when a user is done with their session. So IIS implements a session timeout
mechanism. By default, it is twenty minutes, but it can easily be configured
by the web site administrator. This value does significantly impact the resource
usage of the web server. Let's say that you get 1000 users an hour on your site.
That means that, on average, you will have 330 sessions active (okay, 333, but
the math is easier if there are zeros). Say each session takes up 4KB of space.
That means that 1.3 MB would be constantly allocated on the server. Not a problem,
you say? Fine. So long as you keep ratcheting up the server memory as your site
becomes more popular.
I am the owner of a small application development consulting company that specialized in the design and implementation of Internet-based applications. While there are others who can make a web site...
Related articles
Related discussion
-
Read eMails from Outlook express using ASP
by kumaravelu (1 replies)
-
Help to Call ASP function from onclick event in HTML to pass an array
by vka (0 replies)
-
Binary Studio | software development outsourcing Ukraine
by shane124 (4 replies)
-
Variable In Vb.Net
by chia (0 replies)
-
ideas in building a captive portal
by sjranjan (2 replies)
Related podcasts
-
Scott Guthrie
Scott catches up with Scott Guthrie in an interview covering Ajax, Asp 2.0, extender controls, CSS adapters and more.
Your Article is informative, but you missed the core point in explaining what will be the Alternative for Session variables in a Distributed Server Environment. I have used session variables, but at no point of time i faced the problem of losing the value from a session variable.
Can you Explain this in detail.
Arshad Hussain.
for tker
Could you point us to some examples? That sounds like a good challange!
So what should we all be using instead. If we can't use cookies, because essientially seesion things use cookies how are you suppose to keep track of users being logged in? I guess you could tack a field on the user that says they are logged in or not but what if they change computer?? and haven't logged out of the other computer??
I Would like to know, what you suggest to use instead of Seesions.
It's difficult to maintain session state without session variables. Solutions there are. Some scripted and some 3rd party tools. Also PHP and ColdFusion have their own methods. But the bottom line is that the "cookies are evil" biscuit talk is nothing more than politics. You should inform your users that your are using cookies and what for. Nowadays browsers give you the ability to have cookies disabled for some sites and enabled for others. All the user has to do is to add your site to the "cookie-safe" list. If some paranoid user still doesn't want your site on his list (or his list is empty and he likes it that way) you should only be ready to accept it and script your site so that he can at least use whatever minimal services you can offer. If even that is not possible... well, that's his and your loss. But the world still turns and it's not the end of it.
Mind you, it's still possible to use session variables even without cookies on the client side. You just have to pass the sessionID on the url and have your scripts coded so they can use it that way. However, this brings some security issues as some guy over the user shoulder may read his session ID and hack into it on a computer next room.
Mario Figueiredo
Whenever I have created a high-traffic, browser-neutral site, I have maintained session information stored in a database. In other words, when a user logs into the site, they are assigned a 32-character identifier. This identifier travels with them as they move from page to page either on the URL or in a hidden field in a form. As they hit a page, I take the identifier and validate it against the session table. At the same time, I can check it against a LastTimeUsed field to see if too much time has passed and a LastPageUsed field to ensure that people aren't jumping into the middle of a process (both are potential signs of hacking). The other benefit is that I can build a log containing the details of the path my users are taking as they move through the web site, something quite useful if you ever need to do a usability analysis.
Does this take longer than storing state information in a session variable? Undoubtably. But a properly configured table, combined with connection pooling keeps the performance impact to a minimum. Not to mention that I can always throw more horsepower at the problem, if necessary. The web sites that I create are designed to be scalable both at the web server level (through load balancing) and at the database level. So if the activity on the web site warrented it, I would have no problem dedicating a database server to just handling the session processing.
Ultimately, I don't think that there is anything inherantly evil with using session variables. In many cases, their ease of use is too appealing to ignore. As someone else mentioned in this thread, my real purpose was to address some questions that I had been asked about session variables, especially when they are used to store ADO connection objects <<shudder>.
In response to the question of what to use instead, is there any reason not to use XML files (identified via a querystring of the filename) that are stored on the server to track user state? We've been doing this to replace cookies/sessions entirely in our web apps & haven't encountered any issues, but I was wondering if any exist?
http://www.wired.com/news/technology/0,1282,52115,00.html
while your at it heres a little screenshot of Windows.NET Enterprise Server[Build 3621]:
http://www.windowsbeta.de/html/newspic/3621.jpg
I know you dont want to make DevFusion a beta/hacking site but I thought you may be interested.
?session=#SessionID#
to each url..... I *thought* asp.net was going to have this feature too, but I haven't found it yet....
Is there a *real* alternative to cookies? on the client side all i see web developers can use is cookies. but if its restricted because so many tools are scared of them well thats it for most of us.
P.S. Did you guys hear about the HotMail Cookie vunerability?
I only use session variables the way james descibes.
That's all.
at the moment, microsoft doesn't have any other way of using sessions without the use of a cookie.... although ASP.net does to some extent allow sessions to be tracked by a query parameter in the URL....
does that make any sense?
I Would like to know, what you suggest to use instead of Seesions.
This thread is for discussions of When Session Variables Go Bad.