Home/ Questions/Q 8429415
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T05:19:51+00:00

So, im working in a huge .NET MVC 3 system. As many users could

  • 0

So, im working in a huge .NET MVC 3 system. As many users could be logged in at same time. I was just writting a way of “hey there’s still someone logged with this key” with HttpContext. But, is this the best practice ? is it better to Query DB ?

what i wrote:

     MvcApplication.SessionsLock();

        if (!force && MvcApplication.Sessions.Values.Any(p => p.ID.Equals(acesso.id_usuario.ToString(CultureInfo.InvariantCulture)) && p.Valid))
            throw new BusinessException("There's another user logged with this key. Continue ?");

     MvcApplication.SessionsUnlock();

our I can query my DB.. maybe cookies ? any ideas would be appreciated

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Storage

    The database provides a central, durable location for this information. You might use a custom data structure, or ASP.Net SQL session might meet your requirements (more below on this).

    There is not a deterministic way of always knowing exactly when a user’s session ended. For example, you can listen to the Session End event, but it will only fire for in-process sessions and is not guaranteed to fire at all (e.g. the OS could crash).

    Regardless, if you are building a “huge system” as you state, you shouldn’t design against using in-proc session as it won’t scale upwards. Start thinking about SQL-based session state which is more scalable (and may give you enough information to determine roughly how many users are active).

    Session Pro/Con

    I want to know if session is a good practice. That piece of code
    works. But i have been reading a lot of articles deprecating usage of
    sessions on ASP.NET MVC Application.

    As far as Session being a good or bad thing–as always–it depends on how it is used. Properly designed MVC apps can present fairly complex views without needing to preserve state. Part of this is due to strong support for AJAX (no need to reload the page) and elegant model binding (which can take a complex Request.Form and turn it into a complete model).

    Conversely, there is nothing inherently wrong with putting small snippets of repeatedly-used information into session state, using it to avoid sending sensitive data to the client, using it to make a smoother user flow, etc.

    Do beware of session fixation attacks in high-security scenarios. Session may not be appropriate and/or may need to be manually secured further.

    One thing to be aware of is that ASP.Net places a lock on session. This can lead to very real performance issues when multiple requests are made at once. Normally, this isn’t an issue, but consider a page with a dozen AJAX widgets which all requested data from a controller or endpoint that used session. These will contend with each other (firsthand experience).

    MVC provides an easy way to mark a controller as needing only readonly access to Session, which eliminates the issue. However, any read/write activity to Session will still be serialized, so plan accordingly.

    Business Considerations

    From a business perspective it’s not always important to know that the session has expired so much as work has ceased (do you care that they stopped using the site, or that their session timed out?) This can be reliably addressed by checking last modified timestamps on entities and warning the users. Warn, don’t lock. In my opinion, you shouldn rarely/never lock records based on login/logout in a web application (too easy to get stuck in a locked status).

    • 0