Server side state management in ASP.NET
Often not appropriate to store state client side.
Perhaps state needs to be secured and encrypted and not passed around a network.
May not be client specific, but applicable to all users.
ASP.NET provides two ways to store state at server:
- application state - info global to application and available to all pages regardless of user identity
- session state - user specific data stored by server, only available to pages accessed by user.
Consider it a form of application level caching for data too time consuming to fetch for each request.
Store in instance of HttpApplicationState class accessed via Page.Application property.
HttpApplicationState represents key-value dictionary.
Can access from any page, but remember data stored here available to ALL pages.
Do not store user specific information in application state.
Data will be lost any time application is restarted - which IIS may choose to do at any time.
Use for large amount of, or sensitive user data.
Available to different pages as user visits them.
Data lost if user ends session, or it times out.
By default stored in memory on server. Can configure to use client-side cookies, another state server, or SQL server.
If client allows cookies, ASP.NET writes cookie containing SessionId - random 24byte value.
Values to be stored mus be serializable.
Reading and writing session state data
Stored within the Session object, an instance of HttpSessionState class, as a key-value dictionary.
Disabling session state
If don't use session state can improve performance by disabling for entire application:
<sessionState mode="off" />
Disable for single page of application by setting EnableSessionState page directive to false.
Can make read only for a page by setting EnableSessionState page directive to ReadOnly.
<@ Page Language="C#" EnableSessionState = "False" %>
Cookieless Session State
By default cookies used to track user sessions.
ASP.NE allows for cookieless session state whereby the session is tracked via the query string.
Enable cookieless session tracking via web.config file:
<sessionState cookieless="true" />
Trap session events via Global.asax file.
Two special events:
- Session_Start - raised when user requests page on site and so starts new session. Good place to initialise session variables.
- Session_End - raised when session expires or is abandoned. Note, only raised when state mode set to InProc
Choosing Session State Mode
Memory on server not always best or most scalable place to store session state.
ASP.NET provides several session management modes:
- InProc - session state stored in memory. Default mode for ASP.NET. Not good in load balanced scenarios. Good for simple applications.
- StateServer - session state stored in ASP.NET State Service. Ensures data survives web application restarts and also supports web farms. Service available on any machine capable of running ASP.NET web apps, but is configured to manually start (by default)
- SQLServer - session state stored in SQL Server database. Ensures data survives web application restarts and also supports web farms. Slower than StateServer, but SQL Server offers robust data integrity. Often the hardware running SQL Server will be more powerful than that supporting the StateServer.
- Custom - you need to implement the code providing the custom storage provider.
- Off - disables session state (to improve server performance)
Configuring session state mode
Assign a SessionStateMode enumeration value to the sessionState element in the web.config file for the application. Modes other than InProc and Off require additional parameters, such as connection string values.
Can examine currently set session state via the System.Web.SessionState.HttpSessionState.Mode property.
ASP.NET 4 adds a compressionEnabled attribute that uses GZip to reduce size of session state.