ASP.NET MVC Session State Timeout

Question

Given that session state is not reccomended in ASP.NET MVC. I'm trying to understand under what circumstances session is used. I know that using the TempData creates a session but what other circumstances are there and does it matter how I configure the session state timeout for better security?

<sessionState cookieName="s" timeout="20" />

Answer 1

as you mentioned, it is true that session is not recommended in mvc . Because, in mvc identity is used to in identity there is no need for session.the data is stored in profile.

Session is used in such a condition when you want to maintain the value for multiple pages or multiple controllers. For ex, after, login you maintain the username and keep it until you remain in the application. While the tempdata is used to save or maintain value for the current action and the value is discarded after the next action

session state has no concern with security so there is no need to change the session time out value for the sake of security.

Answer 2

The accepted answer you reference states in part

This tended to lead to an overuse of session, populating "current" variables in session intended to indicate what the current object being interacted with was. This overuse in turn made applications very state-dependent and much harder to determine expected behaviour ("Is this variable populated?" "Do I have the current order ID yet?").

MVC is structured around the idea that your website is a view into a logical model of information. It encourages having stateless operations through the use of simple controllers responding to actions with key information passed as part of the HTTP request

Session is not a bad thing when your website needs to tie certain content to a specific user, whether for security or personalization purposes. It is fine, expected and normal to use a session for that purpose.

What you should avoid doing is stuffing the session with any and all information that you might need anywhere in your web application. Take time to learn and understand the MVC architecture, and favor loading data that you need to render a given page when that page is actually being rendered. Only cache things that are relatively expensive to load, or are needed on many/all pages.

does it matter how I configure the session state timeout for better security?

The primary concern with session timeout periods is a session hijacking attack, which allows a man in the middle to intercept session information and control the session from a different device under control of the hacker. For most applications, I don't see anything wrong with the default session timeout.

The another concern is people that walk away from their device, leaving it unattended. People that do that have much greater security worries than just your website.