Keep sessionId even when not using session to store data?

Hi,

I am building a ASP.NET MVC 2 website and need to bound the current user/session to some data. The following is possible solutions but what is best practice?

1. Create a GUID and set it as hidden field on view, the data will then be saved in a singelton objec开发者_JAVA技巧t (like a cache). the security will however not be the best(the user could change the value of the hidden field).
2. Use Session.SessionId. to maintain the same SessionId between calls I need to store somthing in the session which feels wrong? Im not sure if there is any security problems here?

BestRegards

My Solution : I ended up to create a GUID for the current client and then set this as a hidden field on the form. I did however had some problems to get the hidden field to be rendered correcly, see : ASP.NET MVC 2 HiddenField is empty?

Maintaining state across web requests is always a challenge as the web is inherently stateless.

Whether you use a hidden Guid (or other system-unique identifier) or a session ID in a cookie, both are open to abuse. That said, most systems that implement a 'session state' do so through the use of cookies.

The purpose of the session state 'bag' is to store information between web requests, exactly the objective you mention, so while it may feel 'wrong' it is a very commonly accepted approach. Remember, only the session ID is stored with the client browser, not the actual session data; that's held at the server.