ASP.NET Server Side State Management – Session State
ASP.NET Server Side State Management – Session State
In this post I’ll introduce the session state technique. 
You can read my previous posts in the state management subject in
the following links:
What is session state?
The session state is a global storage mechanism that is
accessible from all the web pages that were requested by a
single web browser session. The storage is perfect for storing specific
information that is connected to a specific user. That means that every
user of the web application will have a separate session state.
The session has a timeout period and after the timeout the session data
is lost and a new session will be created for the user. The timeout occurs
when the user is no longer active for a period of time. Like the application
state, the session storage is implemented as a key/value dictionary which is
represented by an instance of the HttpSessionState object.
The session is used for the following scenarios:
- Uniquely identify a client requests and therefore you can track
users by the their sessions. - Raise session management events. The Global.asax file has
session management events like Session_Start that helps to do
useful things regarding the session events (for example – counting how
many users are currently connected to your site). - Store session specific data.
The session is being tracked by the ASP.NET_SessionID cookie. That
cookie is constructed whenever a new session is created for a user.
Regardless to say that if cookies are disabled then the session cookie won’t
be available.
Using Session State Data
The use of the session dictionary is very simple. for example:
protected void Page_Load(object sender, EventArgs e)
{
if (Session["FirstPageLoadEventTime"] == null)
{
// put the date time of the first page load in the
// session
Session["FirstPageLoadEventTime"] = DateTime.Now;
}
DateTime firstPageLoadEventTime =
(DateTime)Session["FirstPageLoadEventTime"];
}
In the example I put the time of the first page load in the session
and then insert it to a variable called firstPageLoadEventTime. In the
next time that the Page_Load event will be called the session will hold
the first time that the Page_Load method was called. This is only an
example and probably I won’t do such a thing in an application.
Disabling Session State
There are two ways to disable the session state:
Session Management Events
You can use the session management events like you use the
application state management events. In the Global.asax file
There are two events that you can use:
- Session_Start – raised whenever a session is starting.
- Session_End – raised whenever a session is ending.
Cookieless Session State
As written earlier the session state is managed by a cookie.
What can we do if the user disabled cookies?
There is a cookieless configuration that put the session id in
the page’s Url instead of a cookie. To enable this behavior
use the following code in your web.config:
<configuration>
<system.web>
<sessionState cookieless="true" regenerateExpiredSessionId="true">
</sessionState>
</system.web>
</configuration>
Session State Mode
There are several storage options for session data:
- InProc – Session state is saved in memory. The session is discarded
when the application restart. The session is enabled only
for the current server and not supported in a web farm.
This is the default. - StateServer – Session state is saved in a dedicated
ASP.NET state server. The session is saved when application restart
and also available to multiple web server in a web farm.
You pay in performance in this choice. - SQLServer – Session State is saved in Sql server database.
The session is available to multiple web servers in a web farm.
Also the session state is saved whenever the application restart.
You pay in performance in this choice. - Custom – A custom session storage provider that you build.
- Off – Disable session state.
The session mode is specified in the web.config file.
The following example specify an InProc mode in the
web.config:
<configuration>
<system.web>
<sessionState mode="InProc">
</sessionState>
</system.web>
</configuration>
Modes other then Off and InProc need other parameters to
be enabled like sqlConnectionString for the SQLServer mode for
example.
Summary
To sum up the post, I introduced the session state technique.
The technique is widely used in ASP.NET and sometime over used.
Sometimes I find that developers put almost everything in the session
even things that should be managed by client side techniques.
You need to find the balance between server and client side techniques
in order to build a good web application. The next post in the server side
state management will be the last in the series and will introduce the
profile properties technique.