ASP.NET会话访问的这种技术是否对多用户安全? [英] Is this technique of ASP.NET session access multi-user-safe?

问题描述

我正在研究一种设计模式，这种模式已经出现在我公司的许多项目中.从历史上看，它可以正常运行，但是我听到其他一些开发人员认为，使用此模式可能会导致会话损坏.我正在这里的Stack Overflow上寻求其他.NET开发人员的见解.

I am looking at a design pattern which has come up in quite a few of my firm's projects. It has historically functioned correctly, however I have heard some other developers argue that there is a possibility of session corruption using this pattern. I'm looking for insight from other .NET developers here on Stack Overflow.

基本上，存在一个类-通常为 static 或Singleton模式，这在很大程度上取决于编写它的开发人员-存储在 App_Code 中.

Basically, there's a class -- usually either static or a Singleton pattern, depending largely on the developer who wrote it -- stored in App_Code.

此类通过属性封装对当前会话的访问.所有这些属性均采用以下形式:

This class encapsulates access to the current session via properties. All of these properties take the form of:

public static class SessionHelper
{
    public static string SessionValue
    {
        get
        {
            object o = HttpContext.Current.Session["sessionValueName"];
            if (o == null)
            {
                // Replace the following with code to store & retrieve
                // a default value of the appropriate datatype.
                o = string.Empty;
                HttpContext.Current.Session["sessionValueName"] = o;
            }

            return o.ToString(); // or cast, ensure cast is valid & return.
        }
        set
        {
            HttpContext.Current.Session["sessionValueName"] = value;
        }
    }

    // Other properties, strongly-typed, as above.
}

(当类是Singleton时，这些不是静态的.)

(These are not static when the class is a Singleton.)

过去，我在网站上看到过有关静态数据的问题，这在很大程度上是因为静态数据用于维护每个会话的状态.(例如，我看到过被静态声明为按用户"的代码隐藏成员.不是我的代码；我的团队是写那个烂摊子的公司的清理人员.)

I have seen issues with static data on web sites in the past, largely because static data was used to maintain per-session state. (I have, for example, seen statically-declared "per-user" members of code-behinds. Not my code; my team was the clean-up crew for the company that wrote that mess.)

但是，因为这只是 HttpContext.Current.Session 的静态条目，所以似乎应该是安全的，因为它与 Page 类，将其封装在 Session 属性中.就像我说过的那样，我公司工作过的其他任何使用此模式的站点都没有遇到任何问题-包括一些相当大且活跃的用户群.但是我只想换一个角度.

However, because this is just a static entry to HttpContext.Current.Session, it seems like it should be safe, as it is not fundamentally any different than the Page class encapsulating this in the Session property. As I said, no other site on which my company has worked that used this pattern saw it ever have any issues -- and that includes some pretty large and highly active userbases. But I want to just get a fresh perspective.

是否存在潜在的多用户问题，竞赛条件或其他故障/缺陷，这些缺陷/缺陷会特别导致上述模式中的会话损坏?

Are there potential multi-user issues, race conditions, or other failings/flaws which specifically could cause session corruption in the above pattern?

推荐答案

这很安全.您通过某些静态属性或静态类访问它的事实是完全不相关的.那是语言的抽象.会话提供程序负责将请求映射到其正确的会话...因此，除非其中有错误，否则您是可以的.

This is safe. The fact you are accessing it through some static property or static class is completely irrelevant. That is a language abstraction. The Session provider is what is responsible for mapping the requests to their correct session... so unless there is a bug in this, you are A-OK.

这篇关于ASP.NET会话访问的这种技术是否对多用户安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！