Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


storing variables for a public website

Posted on 2010-11-18
Medium Priority
Last Modified: 2013-12-17
I am used to creating applications for members, but i am now creating a web site that is going to be available to the entire internet.  I am used to using session variabes, but im not so sure i want to go that routre with the public website.  I am thinking about passing variables from page to page using the URL, is this the best way for a public website???
Question by:DB_Fury
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 10

Expert Comment

ID: 34165229
Using querystring parameters can pose security risks.  If, for instance, you pass confidential information in the query string, the url can be altered or the link can be saved and accessed later without properly checking.  Measures can be taken to encode (or better yet encrypt) the query string which will prevent tampering.  If the information passed on the query string is fairly benign, the risks are lower.  However, this approach lowers the bar for even less experienced hackers to wreak havoc if they so intended.

Author Comment

ID: 34165250
so do you recommend using session variables then? should i use InProc for the session mode?  I wonder how long i should set the timeout to if i do that?

Accepted Solution

JosephEricDavis earned 1600 total points
ID: 34165276
There are multiple ways to persist data from page to page in an application and they all have their good points, their bad points, and their correct places to be used.

Session variables are one way to save data, but you're right, because of the potentially large amount of use on a public website, the use of session variables could potentially bog down your web server.  Especially if session variables are misused and you are plugging things like entire datatable objects and what not into them.

The query string is another way to store information from one page to another, however, any user that knows much of anything about the internet can modify your query string to manipulate your application in ways you might not have intended.  Some people only recommend using query string variables for stuff that you want the user to catch onto and be able to modify or on pages where you would like the user to be able to copy the url and forward it to someone else who could immediately return to the same page.

Another way to persist data from page to page is to use cookies.  Cookies are a pretty cool way to store data as they aren't directly in the users face and most people don't know how to go in and modify cookies.  However, some people have cookies turned off in their browsers and many people delete cookies on a regular basis.  so you wouldn't really want to store anything in a cookie that the application depended upon to function normally.  You could store stuff like if a certain expandable menu is open or closed and when you return to the page bring back the state of the expandable menu or something like that.

Using hidden fields and cross page posting is yet another great way of persisting data.

ViewState is also an option

But when it comes down to it, all of these methods are visible to a skilled web user and that person could in turn cause harm with the exposed information in any of these other methods.  So for all sensitive information, usernames, passwords, etc, you should use session.
LVL 10

Assisted Solution

wls3 earned 400 total points
ID: 34165355
Session variables are secure and efficient.  You will need to project potential memory issues by calculating session object space requirements with projections for user load.  These are typically fairly straightforward calculations once you learn what all to take into consideration.  After having looked at all your requirements, fitting your server accordingly will depend on those calculations.  

If your session state calculations indicate that the web server will be paging to disk regularly regardless of how much memory you throw in a machine the InProc option does not really make sense.  Realize, however, that when you shift to other storage mechanisms the complication factor begins to rise.  SQL management/maintenance/security are incorporated which make for new headaches a straight InProc session object will not force you to have to contend with.  

As for the timeout, this can often accurately be determined by a good log review.  How long are users spending on your site?  What is the page depth they navigate?  Some statistical review of your traffic can help frame that determination.  If you have have most users on and off your site in 10 minutes, 20 minutes will cover a large portion of your bell curve.  If, for whatever reason, traffic depths/times indicate you need longer than the default, bump it up.  Some good load testing can help you get a feel for how tweaking these parameters can ideally meet the needs of your application.

Assisted Solution

JosephEricDavis earned 1600 total points
ID: 34165427
By the way, Session timeout 'timer' restarts as a user goes from one page to the next. 20 minutes is the default setting in IIS and is generally the best option.  So a user would have to sit inactive without making a request to your web server for 20 minutes before the session would time out.

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA:…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question