ASP.NET MVC Session State - asp.net-mvc

Is there any way to tell if a visitor to a site is new, or just the same one over and over again, for the purpose of a hit counter?
Sessions don't really seem to exist in MVC, so I know I can't really use them...

Is there any way to tell if a visitor to a site is new, or just the same one over and over again, for the purpose of a hit counter?
There's not a 100% reliable way due to the stateless nature of the web but for the purposes of a counter, setting a cookie and checking whether it's there or not is adequate for the most cases.
Sessions don't really seem to exist in MVC, so I know I can't really use them...
This is not true. You can use Session in ASP.NET MVC too. Although, in general, you should avoid server-side state as much as possible when you don't need it to ease scalability.

You can use sessions in ASP.NET MVC, but as Mehrdad points out, storing this kind of information on the server is not the way to go about it--use JavaScript cookies instead. And let your clients do the "heavy lifting".
Quircksmode has a great article on using JavaScript cookies.

Related

Is MVC AntiForgeryToken useless on public forms?

I was told that there is no need to put the ValidateAntiForgery mechanism on our razor form because it's not behind authentication and is totally open to the public.
I thought I read somewhere that it should be used on all POSTs.
Which is correct?
There are a number of articles which can tell you when and where it is most appropriate to use the AntiForgeryToken. Here's a few:
http://www.devcurry.com/2013/01/what-is-antiforgerytoken-and-why-do-i.html
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
http://peterkellner.net/2014/05/19/asp-net-mvc-forms-need-include-html-antiforgerytoken-security/
The last one is explicit, the author recommends that you should use the feature for all forms. It will be generally beneficial to your entire website, provided that you care about the identity of your users.
If your users have no session, and there is nothing to be gained from hijacking their ASP.NET cookie, then the anti forgery token is not particularly useful.

ASP MVC vs. WebForms: using SessionState for user logon

i've a question regarding handling of user logon while porting an application to MVC:
in the "old" WebForm days, developers simply used the SessionState object to set a user to logged-on, by -for example- simply putting the userobject into the SessionState (and this userobject holds simple properties like name/lastlogon/etc.)
this stuff worked very well for us, and i've seen lots of applications doing it that way
yes, i know there is this MembershipProvide-thingy, but i've never used it
Now, in MVC, everybody tells me that "using SessionStat for this is bad" and "apps built that way are flawed in design" and that "there are tons of security risks" and so on.
I've used this method because it worked for the app very reliable, it was simple to implement and it covered all stuff we need.
(Sure, there is the thing with recycling web worker process and emptying the session - but thats not a problem in our case, since the app runs for each country on a dedicated machine)
I've read tutorials, telling me to put that stuff in the DB and -attention- doing a request to the DB to check if the user is logged in, per EACH request? But: Under no circumstances, this is a doable way since i want to keep DB requests on a minimum.
So my question is:
A) whats wrong using this way also in the new MVC app?
B) whats the best way to handle this scenario in a newly built MVC app?
Regarding the session-in-DB-idea: instead of doing this, i'd rater setup an additional service, like a "session-manager" thats get query over the network, but such simple requests should not go to the DB - isn't that a good idea?
Any idea, hint /etc. is highly appreciated since this scenario is really confusing me :-X
A)
A fundamental principal of the asp.net mvc framework is that its stateless. Data is passed around using http requests and sent to the views in viewmodels. Web forms tried to maintain state with viewstate etc thats why you would have seen the logged in user in session approach. Thats not to say session shouldnt be used completely in asp.net mvc, there are some circumstances when it can be useful. Like maintaining a 3 step form process that has to be persisted on the last step. But generally we already have a recommended way to handle the user logins, and thats forms authentication
B)
For accessing the user object, you can create a custom identity implementing the IPrincipal interface and add the required user fields you need. Then set the custom identity in a global filter and access it in your action results. Regarding not wanting to query the database for every request, why dont you just call it for the initial request, then cache the result until the user is updated where you then can reload the object and set it in the custom identity again.

'Global' state and ASP.NET MVC

I am playing with learning ASP.NET MVC as a non-web developer. I am trying to find the best idiom to use for an app that has a concept of selecting a 'project' to work on the first page that affects all other pages.
There seems to be three choices:
Just put the information into the session state. Works fine, but isn't very MVC-ish
Embed the state into all URLs ... so instead of /Products/Details/1 the URLs are all /(project_id)/Products/Details/1
Setting a separate cookie for this information
Since nearly all the URLs in the application would require the current project this seems overkill, and makes constructing the URLs used in any of the views that much more work. It would also require that I validate the permissions on each call since the user could easily modify it.
Any suggestions on the best approach -- is using the session such a bad idea?!
Option 2 out of yours is my choice.
So instead of /Products/1/Details
I would make it Project/1/Products/1/Details
Its just more in line with REST. Its virtually irrelevant to MVC, but if you want your Routes and URLs to read like resources in REST, you'll want the url to collapse at the slashes and carry the state. Other ways are to mark a project id in cookie, but that kills linking, so that as someone leaves and comes back they get put back there.
Session also makes it hard to test if you bind yourself directly to that concept.
Personally, I would just use the session. There's nothing non-MVCish about the session really - think of it as just being part of your model.
Using a cookie is really no different than using the session. Embedding it in the URLs is not a bad option though, especially for "linkability" if that's a concern for your project. But it has the side effect of cluttering up URLs and requiring you to pass that ID around constantly from page to page.

Caching in the ASP.NET MVC Framework

I am fairly new at using the ASP.NET MVC framework and was hoping that I could find some help about best-practises when caching various parts of my MVC web application. I know that stack overflow uses MVC and some pretty freeking awesome caching techniques, and its MILES faster than my app, even when running locally.
I have a few questions.
How does the caching actually work, and how do you "enable" it, and what are the various options. What is the best kind of caching to use?
My app has a lot of database transactions, lists that regularly change. I am worried about the timliness of page refreshes, in users not getting the most recent version of the data. Whats the best way to strike a balance between web application speed and displaying "up-to-date" data? What best practises have you guys found when having to deal with this issue?
How do I cache different parts (I assume views) with different caching settings? I assume that it could be done with sub-controllers, but I have NFI how to go about doing this.
I am using the Castle.Windor integration to the controllers, I am not sure if this changes anything.
Any other best practises of notes of things to be wary/careful of would be greatly appreciated.
You might want to take a look at Phil Haack post for some donut caching. He's THE reference for ASP.NET MVC :)
From a "best practices" perspective, you will need to consider the same things you must consider in any application that uses caching.
Is the traffic volume high enough to benefit from caching?
How often does a particular piece of data change? How crucial is timeliness?
Do I own the data-access layer? If so, can I trigger the refresh in the cache by the actual changing of the data and avoid a time-based expiration?
and the list goes on.
You can easily cache views using the OutputCache attribute. Any not frequently updated lists I cache as well using nHibernate caching mechanisms.

Asp.net MVC with ViewState?

Just read blog post of Maarten Balliauw.
Wanted to ask will
<%Html.Serialize("person", Model); %>
return bunch of 'don`t-stop-debugging-heavily-server-sided' RAD controls?
Is that's a good idea to include this?
If so - what kind of usage would be appropriate?
I view it more as a way of avoiding using the session to transfer data between actions than viewstate per se, and that's what I would use it for. Seems to me an ideal way to implement some wizard type functionality in which you want to carry the data forward through a series of actions before you persist anything to the database. There is, of course, the danger of overusing it I suppose, but as long as the framework doesn't automatically impose it on you, then I don't see the same dangers of viewstate popping up. With viewstate, you had to jump through hoops (and potentially break other things in the process) to avoid it.
We shouldn equate Base64 encoding with ViewState. I don't see the state of the view being serialized in that snippet. I see the state of the model. So describing that as ViewState For Asp.net MVC is very misleading.
Also consider this is opt-in and not automatic in any way. It's primary usage will probably be for optimistic concurrency as well as Wizard UIs where you want to store the users previous selections in the view as opposed to the Session or Cookie.

Resources