What data should never be included in a session?

Question

What data should never be stored in a session?

+3

eomeroff Feb 02 '10 at 0:58

9 answers

, . , -. , , . HTTP , - , , .

+4

Jacob 02 . '10 3:00

+2

Rubens Farias 02 . '10 1:03

PHP.

$_SESSION, , cookie.

.

, .

+2

alex 02 . '10 1:03

. , , . , . , , .. ( InProc), . , .

, , , , , , ViewState . - , , , . , ViewState, QueryString .. .

+1

Chris Conway 02 . '10 2:01

session session !

+1

fastcodejava 02 . '10 3:05

- , SessionMode="InProc" web.config. - .

, - , SessionMode. , ( , ), .

0

herzmeister 02 . '10 1:26

See the Tess Ferrandes blog for other examples of things you should never put in a session, as well as the reasons why.

0

Zhaph - Ben Duguid Feb 02 '10 at 1:59

Promotions, pirated CDs, feature films (other than Clerks, this movie was awesome), analogue information, ...

This question seems a little vague - I can come up with countless kinds of information that should not be stored in the session!

0

Ken Feb 02 '10 at 2:55

Bobmcgee · Accepted Answer · 2010-02-02T01:13:15+0000

I am very sorry that it was clear what session you mean. Depending on the answer, I can come up with a couple:

Passwords of any type
Large amounts of data, especially 4 GB + on a 32-bit OS (guaranteed memory if it should be loaded into RAM)
Executable code
Raw SQL
Abusive words
Things that may provoke indignation of government agencies ("Free Tibet" in China, threats to the president in the USA)
PIN of your bank account or credit card number
Mad Badger. Actually, ANY kind of badger.