storing variables for a public website

Posted on 2010-11-18
Last Modified: 2013-12-17
I am used to creating applications for members, but i am now creating a web site that is going to be available to the entire internet.  I am used to using session variabes, but im not so sure i want to go that routre with the public website.  I am thinking about passing variables from page to page using the URL, is this the best way for a public website???
Question by:DB_Fury
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 10

Expert Comment

ID: 34165229
Using querystring parameters can pose security risks.  If, for instance, you pass confidential information in the query string, the url can be altered or the link can be saved and accessed later without properly checking.  Measures can be taken to encode (or better yet encrypt) the query string which will prevent tampering.  If the information passed on the query string is fairly benign, the risks are lower.  However, this approach lowers the bar for even less experienced hackers to wreak havoc if they so intended.

Author Comment

ID: 34165250
so do you recommend using session variables then? should i use InProc for the session mode?  I wonder how long i should set the timeout to if i do that?

Accepted Solution

JosephEricDavis earned 400 total points
ID: 34165276
There are multiple ways to persist data from page to page in an application and they all have their good points, their bad points, and their correct places to be used.

Session variables are one way to save data, but you're right, because of the potentially large amount of use on a public website, the use of session variables could potentially bog down your web server.  Especially if session variables are misused and you are plugging things like entire datatable objects and what not into them.

The query string is another way to store information from one page to another, however, any user that knows much of anything about the internet can modify your query string to manipulate your application in ways you might not have intended.  Some people only recommend using query string variables for stuff that you want the user to catch onto and be able to modify or on pages where you would like the user to be able to copy the url and forward it to someone else who could immediately return to the same page.

Another way to persist data from page to page is to use cookies.  Cookies are a pretty cool way to store data as they aren't directly in the users face and most people don't know how to go in and modify cookies.  However, some people have cookies turned off in their browsers and many people delete cookies on a regular basis.  so you wouldn't really want to store anything in a cookie that the application depended upon to function normally.  You could store stuff like if a certain expandable menu is open or closed and when you return to the page bring back the state of the expandable menu or something like that.

Using hidden fields and cross page posting is yet another great way of persisting data.

ViewState is also an option

But when it comes down to it, all of these methods are visible to a skilled web user and that person could in turn cause harm with the exposed information in any of these other methods.  So for all sensitive information, usernames, passwords, etc, you should use session.
LVL 10

Assisted Solution

wls3 earned 100 total points
ID: 34165355
Session variables are secure and efficient.  You will need to project potential memory issues by calculating session object space requirements with projections for user load.  These are typically fairly straightforward calculations once you learn what all to take into consideration.  After having looked at all your requirements, fitting your server accordingly will depend on those calculations.  

If your session state calculations indicate that the web server will be paging to disk regularly regardless of how much memory you throw in a machine the InProc option does not really make sense.  Realize, however, that when you shift to other storage mechanisms the complication factor begins to rise.  SQL management/maintenance/security are incorporated which make for new headaches a straight InProc session object will not force you to have to contend with.  

As for the timeout, this can often accurately be determined by a good log review.  How long are users spending on your site?  What is the page depth they navigate?  Some statistical review of your traffic can help frame that determination.  If you have have most users on and off your site in 10 minutes, 20 minutes will cover a large portion of your bell curve.  If, for whatever reason, traffic depths/times indicate you need longer than the default, bump it up.  Some good load testing can help you get a feel for how tweaking these parameters can ideally meet the needs of your application.

Assisted Solution

JosephEricDavis earned 400 total points
ID: 34165427
By the way, Session timeout 'timer' restarts as a user goes from one page to the next. 20 minutes is the default setting in IIS and is generally the best option.  So a user would have to sit inactive without making a request to your web server for 20 minutes before the session would time out.

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

More often than not, we developers are confronted with a need: a need to make some kind of magic happen via code. Whether it is for a client, for the boss, or for our own personal projects, the need must be satisfied. Most of the time, the Framework…
Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question