ASP.NET 2.0 Performance Guidelines - State Management
From Guidance Share
- J.D. Meier, Srinath Vasireddy, Ashish Babbar, John Allen, and Alex Mackman
[edit]
Store Simple State on the Client Where Possible
Use cookies, query strings, and hidden controls for storing lightweight, user-specific state that is not sensitive such as personalization data. Do not use them to store security-sensitive information because the information can be easily read or manipulated.
- Client cookies. Client cookies are created on the server, and they are sent and stored on the client browser. They are domain specific and are not completely secure. All subsequent requests from a browser include the cookies, which the server code can inspect and modify. The maximum amount of data that you can put in cookie is 4 KB.
- Query strings. Query strings are the data that is appended to a URL. The data is clear text and there is a limit on the overall string length. The data can easily be manipulated by the user. Therefore, do not retrieve and display sensitive data based on query parameters without using authentication or validation. For anonymous Web sites, this is less of an issue.
- Hidden controls. Hidden controls on the page store state information that is sent back and forth in requests and responses.
References
- See Improving ASP.NET Performance at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/scalenetchapt06.asp
- For more information about the security implications of using these various state management techniques, see Chapter 10, "Building Secure ASP.NET Pages and Controls" in Improving Web Application Security: Threats and Countermeasures on MSDN at http://msdn.microsoft.com/library/en-us/dnnetsec/html/thcmch10.asp.
[edit]
Consider Serialization Costs
If you need to serialize state, consider the serialization costs. For example, you might want to serialize state to store in a remote state store. Only store what is absolutely necessary, and prefer simple types rather than complex objects to reduce the impact of serialization.
References
- See Improving ASP.NET Performance at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/scalenetchapt06.asp