[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 426
  • Last Modified:

Session variables vs. Query string parameters

In a website that is supposed to be secured for having confidential client data:
What’s the difference between session variables and query string parameters in terms of:
1-      Security
2-      Performance
  • 2
1 Solution
There are 2 types of session variables.

1) server-side session variables: server side session variables are stored in the web servers memory, database, or files depending on your web server and application settings.

2) client-side session variables: client-side session variables are stored on the client's computer as a cookie in a file.

I terms of security:
If you have sensitive confidential data you want to store that in server-side session variables as there will be no access to that from the client and it will not be stored on the client computer. Store only non-sensitive data in the client-side session so that you know what server-side session variables to look at when pages are posted back.
DO NOT use query string parameters to pass the confidential data to your web pages unless the data is encrypted/decrypted via your web application pages.

In terms of performance:
Usually a combination of the session and query string parameters is the most efficient, making sure to keep sensitive data out of the query string and the client-side session variables (unless there encrypted/decrypted). The more server-side session information that you store will eat up memory on your web server, so be careful that your not storing kensian novels in there.
  + Session are variables in memory, but querystring are variables in request url (no need for more info in memory)
  - Querystring for only preemptive datatypes or small data that can be serialized in very samll text(time to serilize/deserilize) ,but session are better to keep large, objective datatypes.
   + Session are hidden from the user (querystring can be modifed directly and suffer from attacking approachs(e.g. sql injection)
   - Session are buggy! it's not a good thing to use to hide sesetive information.

In my opinon:

feesuAuthor Commented:
But if you're saying that encrypting the querystring will work for security, then writing sensitive data into an encrypted cookie is safe as well..
Can anyone decrypt what i have encrypted in my querystring?
Encrypting cookies (client-side session variables) is also a safe option. Whether or not the information can be decrypted by anyone depends on the strength of the cipher user to encrypt the information and the knowledge level of the person attempting to decrypt it.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now