I am working on a MVC 3 application that will be hosted in a web-farm with a multi-worker process setup. There are about a dozen variables that are being stored in Session but are getting lost due to the IIS setup.
By getting lost I mean that when the Logon process succeeds I see through logging that I have set the Session variables but then after the Redirect action and on the landing Controller Action the Session variables are often empty. I’m not sure if this is related but this is in a HTTPS.
We are looking at the possibility of moving our user-specific settings that are stored in Session out to some other mechanism but there is one variable that I won’t be able to do that with. Given the above deployment environment I have the following questions.
- Are cookies my only (best?) alternative to storing Session variables for user-specific settings?
- If so is there a secure mechanism for writing cookies so they cannot be manipulated and can still be read in a multi-server environment?
- As I understand it
System.Runtime.Cachingsuffers from the same problem when ran in the above IIS configuration. Is that true?
No – they are about the worst possible approach. Three reasons that come to mind:
See answer above.
True. You should be using any of the State Providers that are out of proc. You can either use Sql Server to store session data -provided your objects are serializable, obviously- or the State server mode
mode="stateserver"Read here for more details