We have discovered that the product pages of our website always have read/write access to session state, which causes problems if a user (or web spider or malicious software) makes multiple simultaneous calls to the web site. If each call takes a few seconds to execute then we will end up having many calls waiting to acquire session state, and eventually it will cause the SQL state server to return timeout errors.
We have decorated our ProductPageController (which inherits from Litium.Studio.Mvc.ProductController) with the attribute [SessionState(System.Web.SessionState.SessionStateBehavior.ReadOnly)], but it doesn’t seem to have any effect. I have also tried with SessionStateBehavior.Disabled, but it doesn’t make any difference.
Any ideas on how to make the session state readonly for Litium MVC product and category pages?
Further investigation shows that the problem may be that Litium.Studio.Mvc.Engine.MvcPageRouteHandler.GetHttpHandler doesn’t set SessionStateBehavior on the HttpContext, but the “standard MVC route handler” System.Web.Mvc.MvcRouteHandler.GetHttpHandler does set SessionStateBehavior.
One possible work-around could be to inherit from System.Web.Routing.UrlRoutingModule and set SessionStateBehavior in the PostResolveRequestCache method. This would of course be a dirty hack, so before doing this I would like some input from Litium.
Am I right in my assumption that some code is actually missing in the GetHttpHandler method?
Is it a bug in the platform?
Is there some other way to accomplish what I want to do?
Will my suggested hack work?