ASP.NET会话访问的这种技术是否对多用户安全? [英] Is this technique of ASP.NET session access multi-user-safe?
问题描述
我正在研究一种设计模式,这种模式已经出现在我公司的许多项目中.从历史上看,它可以正常运行,但是我听到其他一些开发人员认为,使用此模式可能会导致会话损坏.我正在这里的Stack Overflow上寻求其他.NET开发人员的见解.
I am looking at a design pattern which has come up in quite a few of my firm's projects. It has historically functioned correctly, however I have heard some other developers argue that there is a possibility of session corruption using this pattern. I'm looking for insight from other .NET developers here on Stack Overflow.
基本上,存在一个类-通常为 static
或Singleton模式,这在很大程度上取决于编写它的开发人员-存储在 App_Code
中.
Basically, there's a class -- usually either static
or a Singleton pattern, depending largely on the developer who wrote it -- stored in App_Code
.
此类通过属性封装对当前会话的访问.所有这些属性均采用以下形式:
This class encapsulates access to the current session via properties. All of these properties take the form of:
public static class SessionHelper
{
public static string SessionValue
{
get
{
object o = HttpContext.Current.Session["sessionValueName"];
if (o == null)
{
// Replace the following with code to store & retrieve
// a default value of the appropriate datatype.
o = string.Empty;
HttpContext.Current.Session["sessionValueName"] = o;
}
return o.ToString(); // or cast, ensure cast is valid & return.
}
set
{
HttpContext.Current.Session["sessionValueName"] = value;
}
}
// Other properties, strongly-typed, as above.
}
(当类是Singleton时,这些不是静态的.)
(These are not static when the class is a Singleton.)
过去,我在网站上看到过有关静态数据的问题,这在很大程度上是因为静态数据用于维护每个会话的状态.(例如,我看到过被静态声明为按用户"的代码隐藏成员.不是我的代码;我的团队是写那个烂摊子的公司的清理人员.)
I have seen issues with static data on web sites in the past, largely because static data was used to maintain per-session state. (I have, for example, seen statically-declared "per-user" members of code-behinds. Not my code; my team was the clean-up crew for the company that wrote that mess.)
但是,因为这只是 HttpContext.Current.Session
的静态条目,所以似乎应该是安全的,因为它与 Page
类,将其封装在 Session
属性中.就像我说过的那样,我公司工作过的其他任何使用此模式的站点都没有遇到任何问题-包括一些相当大且活跃的用户群.但是我只想换一个角度.
However, because this is just a static entry to HttpContext.Current.Session
, it seems like it should be safe, as it is not fundamentally any different than the Page
class encapsulating this in the Session
property. As I said, no other site on which my company has worked that used this pattern saw it ever have any issues -- and that includes some pretty large and highly active userbases. But I want to just get a fresh perspective.
是否存在潜在的多用户问题,竞赛条件或其他故障/缺陷,这些缺陷/缺陷会特别导致上述模式中的会话损坏?
Are there potential multi-user issues, race conditions, or other failings/flaws which specifically could cause session corruption in the above pattern?
推荐答案
这很安全.您通过某些静态属性或静态类访问它的事实是完全不相关的.那是语言的抽象.会话提供程序负责将请求映射到其正确的会话...因此,除非其中有错误,否则您是可以的.
This is safe. The fact you are accessing it through some static property or static class is completely irrelevant. That is a language abstraction. The Session provider is what is responsible for mapping the requests to their correct session... so unless there is a bug in this, you are A-OK.
这篇关于ASP.NET会话访问的这种技术是否对多用户安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!