I recall reading a couple of places that folks are discouraging the use of HTTPContext.Current.Session state in ASP .Net web applications.

Can someone explain some of the reasoning behind this recent trend? ARe there solid technical reasons for this?

Thanks, JohnB

First, MVC is not webforms, it is meant to be stateless.

http://www.wintellect.com/blogs/jprosise/thoughts-on-asp-net-s-new-mvc-framework

Second, MVC is restful in nature http://dotnetslackers.com/articles/aspnet/AnArchitecturalViewOfTheASPNETMVCFramework.aspx and according to stack overflow (lol) sessions are not restful.

Do sessions really violate RESTfulness?

Third, session is old school. You can upgrade your application with some work on your part, improve data safety and responsiveness as well. "Each HTTP request into the application means that your application must make 2 extra network requests to the out-of-proc store — one to load session before the request is processed and another to store the session back after the request is done processing" http://brockallen.com/2012/04/07/think-twice-about-using-session-state/

The reason is "Session swapping". Basically, it is possible for users to end up with other user's sessions. The result of this can be unnoticed or it can result in users viewing confidential information.

I do not have an exact technical reference for this from MSDN, but have seen it happen "in the wild" before. A quick google search produces a lot of results. Here is one example: http://forums.asp.net/t/1519279.aspx

However, it all depends on how you implement your sessions. In the end, sessions are just a version of caching, so best practice would dictate that this cache does not take place in system memory (the default version of this being "InProc"). In order to follow best practice, it would be advised to setup a server specifically for maintaining sessions which was backed by a database.

In the end, it is not the facility of a session, but it is the "InProc" setting, which is advised against.