Alternative to Session

Asked

Viewed 1,393 times

1

I am using Session to store the company object the user is logged in to.

Use also to make filters, for it view only what is from the logged-in company.

However, I am with the following problems:

1 - If the user has closed the tab, your authentication cookie is still on the machine, then when it accesses again, Session is null, causing error.

2- It’s a multi tenant app, so if you have 1000 users logged in, there will be 1000 pointers in memory to store that Session

  • I would go straight to use the Redis.

  • @Romaniomorrisonmendez even with multiple users, in several companies and in the same bank ?

  • Sure, without thinking too much.

2 answers

3

I strongly advise against using Session on MVC, mainly in applications that use Load-Balance: Use cookies! Http as well as MVC is Stateless.

You don’t even need to create memory pointers or request in the database to find out who is logged in. Using cookies you must record only what is necessary for identification of the logged-in user: Name, Id, Login, registration, company, etc and encrypt this information before writing the cookie. Encapsulate everything in a class and persist it in the cookie.

Faster, safer, less network traffic and memory consumption and is still according to the recommendations of MS itself, so much so that the Asp.NET Identity uses cookies in your authentications and no Session.

Check how Identity behaves and do the same. It’s very effective, test and tell me if it worked for you.

2

I also use Session in my application to maintain user access data. I consider it faster than searching the direct database.

Question 1

Regarding the loss of Session, I believe that you should set its time-out to a higher value. Change your Web.config as an example below:

<system.web>
  <sessionState timeout="60"></sessionState>
  ...

Another thing I do is in Global.asax.Cs, I see if Session is dead and has Form authentication, I create Session again. Example below:

protected void Application_PreRequestHandlerExecute(object sender, EventArgs e)
{            
    if (Context.Handler is IRequiresSessionState || Context.Handler is IReadOnlySessionState)
    {                
        HttpCookie authenticationCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
        if (authenticationCookie != null)
        {
            FormsAuthenticationTicket authenticationTicket = FormsAuthentication.Decrypt(authenticationCookie.Value);
            if (!authenticationTicket.Expired)
            {
                if (Session["usuarioLogado"] == null)
                {
                    CriaNovamenteSession(authenticationTicket.Name);
                }
            }
        }
        else
            Session["usuarioLogado"] = null;
    }
}

Question 2

I haven’t tried it with so many users yet, but I think it’s better to have 1000 pointers than to access the database all the time to get data.

  • Marlon, thank you for your answer. As for the time of the session, even closing the browser and opening it again, if it is authenticated, will I be able to capture the session? Another thing, referring to your code posted, in my case, it may be in more than one Company, how could it bypass? redirect to select the company you want to log in to?

  • I also thought about the use of Cache[""]

  • @Sorry to keep you waiting. About the company, I find it interesting to always keep the user in a company and do something for him to change company, I do this in my system, but for me "Company" is a vision and "Client/ Branch" are internal accesses. But this is a form of implementation. About Session, even when closing it is "active" because it is inside the server and not in the client.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.