Session variables vs. Query string parameters

Posted on 2006-04-28
Last Modified: 2012-08-13
In a website that is supposed to be secured for having confidential client data:
What’s the difference between session variables and query string parameters in terms of:
1-      Security
2-      Performance
Question by:feesu
    LVL 2

    Accepted Solution

    There are 2 types of session variables.

    1) server-side session variables: server side session variables are stored in the web servers memory, database, or files depending on your web server and application settings.

    2) client-side session variables: client-side session variables are stored on the client's computer as a cookie in a file.

    I terms of security:
    If you have sensitive confidential data you want to store that in server-side session variables as there will be no access to that from the client and it will not be stored on the client computer. Store only non-sensitive data in the client-side session so that you know what server-side session variables to look at when pages are posted back.
    DO NOT use query string parameters to pass the confidential data to your web pages unless the data is encrypted/decrypted via your web application pages.

    In terms of performance:
    Usually a combination of the session and query string parameters is the most efficient, making sure to keep sensitive data out of the query string and the client-side session variables (unless there encrypted/decrypted). The more server-side session information that you store will eat up memory on your web server, so be careful that your not storing kensian novels in there.
    LVL 6

    Expert Comment

      + Session are variables in memory, but querystring are variables in request url (no need for more info in memory)
      - Querystring for only preemptive datatypes or small data that can be serialized in very samll text(time to serilize/deserilize) ,but session are better to keep large, objective datatypes.
       + Session are hidden from the user (querystring can be modifed directly and suffer from attacking approachs(e.g. sql injection)
       - Session are buggy! it's not a good thing to use to hide sesetive information.

    In my opinon:


    Author Comment

    But if you're saying that encrypting the querystring will work for security, then writing sensitive data into an encrypted cookie is safe as well..
    Can anyone decrypt what i have encrypted in my querystring?
    LVL 2

    Expert Comment

    Encrypting cookies (client-side session variables) is also a safe option. Whether or not the information can be decrypted by anyone depends on the strength of the cipher user to encrypt the information and the knowledge level of the person attempting to decrypt it.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
    A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now