Session vs Input Parameters vs Entity

  

Hi all, 

I'm looking for some guidance on best practices for storing a customer's search criteria across several pages of an application. The application doesn't require a login, so search data is either saved against a userID (if logged in), cookie or an IP Address.

So for example on the first page they fill out a form, on the second page they tick a few boxes and make some selections, on the third page they upload some photos etc...and all of this is saved as the user makes changes. Similarly when the user hits the homepage again, the app pre-loads all of these search parameters.

Currently we have designed the application so it uses a combination of input parameters "passed along" into each new page; some items are loaded into session values and some data is fetched from a "Search" Entity. 

It would be great if somebody could articulate the pro's / con's from a performance and security point of view of each option i.e. some things we don't understand are:

Q: Are Input Parameters susceptible to attack? 

Q: Why use an Input Parameter vs a session variable?

Q: Is there more load on the DB to hold an entity record (20 attributes) in session vs fetching/updating an entity. What is best practice?

Q: Maybe its better to use a combination of all three? Maybe hold a SearchIdentifier in session, and then on the preparation of each page load the relevant Search record? 


Apologies for the lengthy Q!!!

Thanks

Tom

Tom Ciullo wrote:

Q1: Are Input Parameters susceptible to attack? 

Q2: Why use an Input Parameter vs a session variable?

Q3: Is there more load on the DB to hold an entity record (20 attributes) in session vs fetching/updating an entity. What is best practice?

Q4: Maybe its better to use a combination of all three? Maybe hold a SearchIdentifier in session, and then on the preparation of each page load the relevant Search record? 


Q1: ofcourse are they vulnerable, because are on the url. so you should always take care of that.

Q2: really depends on the situation. something you can opt for session-vars or input-parameters.

      session-vars are used commonly for rarely changes variables like userid in a session.

Q3: best practice is using the database and cache the query imho.

Q4: yup


check out this for more info: https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/Performance_Best_Practices/Performance_Best_Practices_-_Logic