locked
Out Proc Session RRS feed

  • Question

  • User194385433 posted

    Why we need to Serialize session data when we are storing in sql server(Out Proc).

    can any one Please expain ?

    Thanks,

    Monday, December 10, 2012 1:39 PM

Answers

  • User-1440976047 posted

    AFAIK, it is standard for storing objects. It stores the state of object in byte format which can be easily restored back to an object. Some of its applications are

    1. If object needs to be stored in a medium and restored later. For ex: Workflow foundation uses this approach internally to save the state of object in database, or in this case i.e, storing session in outproc/sql server etc

    2. If a custom object needs to be sent to client via web service or page methods, it needs to be serialized for allowing ajax requests to consume the data.

    I think it is just the format but not security related thing. As per MSDN article, serialization shouldn't be applied to sensitive fields.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, December 10, 2012 3:34 PM
  • User-861818263 posted

    example you can share an object between different applications by serializing it to the Clipboard. You can serialize an object to a stream, to a disk, to memory, over the network, and so forth. Remoting uses serialization to pass objects "by value" from one computer or application domain to another.

    Here you are serilizing object to store it in SQL server database.

    Refrence : http://msdn.microsoft.com/en-us/library/7ay27kt9(v=vs.80).aspx

    Please also read  to get more understanding about serilization : http://msdn.microsoft.com/en-us/library/vstudio/ms233843.aspx

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, December 17, 2012 2:21 AM

All replies

  • User-1440976047 posted

    1. By using inproc, if the web server\application is restarted, all existing session data will be lost.

    2. If you are deploying application in web garden/web farm scenario, inproc doesnt work. Since we don't know to which server web requests get routed, common sql or state server is choosen.

    Please refer  http://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net article for detailed info.

    Monday, December 10, 2012 2:38 PM
  • User194385433 posted

    Thanks for your reply sundeep.

    I know the diffrence between In Proc and Out Proc.

    But my question is the Why we need Serilization In Out Proc(Sql Server and State Server).

    Is any Security Consideration or any other things.

    thanks,

    Monday, December 10, 2012 3:14 PM
  • User1779161005 posted

    Because with out of proc, ASP.NET needs to seralize the state for storage. The serializers they're using requires the [Serliaizable] attribute as "permission" from the class to indicate that it's ok to save the state out. You'd not allow than on a class that contains passwords or credit card numbers, for example.

    Monday, December 10, 2012 3:29 PM
  • User194385433 posted

    Thanks for your reply BrockAllen.

    Sorry , i didn't understand what u r saying.can you briefly expalin.

    Thnaks,

    Monday, December 10, 2012 3:33 PM
  • User-1440976047 posted

    AFAIK, it is standard for storing objects. It stores the state of object in byte format which can be easily restored back to an object. Some of its applications are

    1. If object needs to be stored in a medium and restored later. For ex: Workflow foundation uses this approach internally to save the state of object in database, or in this case i.e, storing session in outproc/sql server etc

    2. If a custom object needs to be sent to client via web service or page methods, it needs to be serialized for allowing ajax requests to consume the data.

    I think it is just the format but not security related thing. As per MSDN article, serialization shouldn't be applied to sensitive fields.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, December 10, 2012 3:34 PM
  • User-861818263 posted

    example you can share an object between different applications by serializing it to the Clipboard. You can serialize an object to a stream, to a disk, to memory, over the network, and so forth. Remoting uses serialization to pass objects "by value" from one computer or application domain to another.

    Here you are serilizing object to store it in SQL server database.

    Refrence : http://msdn.microsoft.com/en-us/library/7ay27kt9(v=vs.80).aspx

    Please also read  to get more understanding about serilization : http://msdn.microsoft.com/en-us/library/vstudio/ms233843.aspx

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, December 17, 2012 2:21 AM