storing variables for a public website

Posted on 2010-11-18
Last Modified: 2013-12-17
I am used to creating applications for members, but i am now creating a web site that is going to be available to the entire internet.  I am used to using session variabes, but im not so sure i want to go that routre with the public website.  I am thinking about passing variables from page to page using the URL, is this the best way for a public website???
Question by:DB_Fury
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 10

Expert Comment

ID: 34165229
Using querystring parameters can pose security risks.  If, for instance, you pass confidential information in the query string, the url can be altered or the link can be saved and accessed later without properly checking.  Measures can be taken to encode (or better yet encrypt) the query string which will prevent tampering.  If the information passed on the query string is fairly benign, the risks are lower.  However, this approach lowers the bar for even less experienced hackers to wreak havoc if they so intended.

Author Comment

ID: 34165250
so do you recommend using session variables then? should i use InProc for the session mode?  I wonder how long i should set the timeout to if i do that?

Accepted Solution

JosephEricDavis earned 400 total points
ID: 34165276
There are multiple ways to persist data from page to page in an application and they all have their good points, their bad points, and their correct places to be used.

Session variables are one way to save data, but you're right, because of the potentially large amount of use on a public website, the use of session variables could potentially bog down your web server.  Especially if session variables are misused and you are plugging things like entire datatable objects and what not into them.

The query string is another way to store information from one page to another, however, any user that knows much of anything about the internet can modify your query string to manipulate your application in ways you might not have intended.  Some people only recommend using query string variables for stuff that you want the user to catch onto and be able to modify or on pages where you would like the user to be able to copy the url and forward it to someone else who could immediately return to the same page.

Another way to persist data from page to page is to use cookies.  Cookies are a pretty cool way to store data as they aren't directly in the users face and most people don't know how to go in and modify cookies.  However, some people have cookies turned off in their browsers and many people delete cookies on a regular basis.  so you wouldn't really want to store anything in a cookie that the application depended upon to function normally.  You could store stuff like if a certain expandable menu is open or closed and when you return to the page bring back the state of the expandable menu or something like that.

Using hidden fields and cross page posting is yet another great way of persisting data.

ViewState is also an option

But when it comes down to it, all of these methods are visible to a skilled web user and that person could in turn cause harm with the exposed information in any of these other methods.  So for all sensitive information, usernames, passwords, etc, you should use session.
LVL 10

Assisted Solution

wls3 earned 100 total points
ID: 34165355
Session variables are secure and efficient.  You will need to project potential memory issues by calculating session object space requirements with projections for user load.  These are typically fairly straightforward calculations once you learn what all to take into consideration.  After having looked at all your requirements, fitting your server accordingly will depend on those calculations.  

If your session state calculations indicate that the web server will be paging to disk regularly regardless of how much memory you throw in a machine the InProc option does not really make sense.  Realize, however, that when you shift to other storage mechanisms the complication factor begins to rise.  SQL management/maintenance/security are incorporated which make for new headaches a straight InProc session object will not force you to have to contend with.  

As for the timeout, this can often accurately be determined by a good log review.  How long are users spending on your site?  What is the page depth they navigate?  Some statistical review of your traffic can help frame that determination.  If you have have most users on and off your site in 10 minutes, 20 minutes will cover a large portion of your bell curve.  If, for whatever reason, traffic depths/times indicate you need longer than the default, bump it up.  Some good load testing can help you get a feel for how tweaking these parameters can ideally meet the needs of your application.

Assisted Solution

JosephEricDavis earned 400 total points
ID: 34165427
By the way, Session timeout 'timer' restarts as a user goes from one page to the next. 20 minutes is the default setting in IIS and is generally the best option.  So a user would have to sit inactive without making a request to your web server for 20 minutes before the session would time out.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question