Storing visitor-related data properly (session?)

Topics: Writing modules
Developer
Apr 7, 2012 at 1:45 PM

I'd like to store some sensitive data for the current visitor of the site (who is not authenticated), i.e. I'd like some session state. How would you do that in Orchard?

There is the session of course, but (without proper configuration) it can lead to problems in web farm and cloud hosting environments and I know Orchard itself is not using it. I wonder why? I could also use cookies but I surely don't know all the pitfalls that come up when storing some sensitive data with the help of cookies and I'm afraid in the end I would come up with pretty much what sessions are about.

What would be the best way to store such a value in an Orchard-y way? Thanks in advance.

Developer
Apr 7, 2012 at 8:42 PM
Edited Apr 7, 2012 at 8:42 PM

You could do at least one of two things:

1. Generate a GUID and ceate a Forms ticket with that username (or just encrypt that value and store it in a cookie). The GUID is then stored in a database table along with the sensitive data. One disadvantage of this approach is that once the visitor is gone, you're left with data that is probably no longer needed. You could write a background task to clean that up.

2. Configure SessionState to use the SQLServer mode: http://msdn.microsoft.com/en-us/library/ms178586.aspx

 

Developer
Apr 8, 2012 at 3:43 PM

You could also set up a session-state server and use SessionState mode. The advantage over SQL server mode is performance. Tried that and works with Orchard without problems.

Developer
Apr 9, 2012 at 1:27 PM

Thank you guys! It looks sessions are just fine. BTW this was needed for FB Suite Connect.