Server side state management in ASP.NET

Often not appropriate to store state client side.

Perhaps state needs to be secured and encrypted and not passed around a network.

May not be client specific, but applicable to all users.

ASP.NET provides two ways to store state at server:

Application state

Consider it a form of application level caching for data too time consuming to fetch for each request.

Store in instance of HttpApplicationState class accessed via Page.Application property.

HttpApplicationState represents key-value dictionary.

Can access from any page, but remember data stored here available to ALL pages.

Do not store user specific information in application state.

Data will be lost any time application is restarted - which IIS may choose to do at any time.

Session state

Use for large amount of, or sensitive user data.

Available to different pages as user visits them.

Data lost if user ends session, or it times out.

By default stored in memory on server. Can configure to use client-side cookies, another state server, or SQL server.

If client allows cookies, ASP.NET writes cookie containing SessionId - random 24byte value.

Values to be stored mus be serializable.

Reading and writing session state data

Stored within the Session object, an instance of HttpSessionState class, as a key-value dictionary.

Disabling session state

If don't use session state can improve performance by disabling for entire application:

<sessionState mode="off" />

Disable for single page of application by setting EnableSessionState page directive to false.

Can make read only for a page by setting EnableSessionState page directive to ReadOnly.

<@ Page Language="C#" EnableSessionState = "False" %>

Cookieless Session State

By default cookies used to track user sessions.

ASP.NE allows for cookieless session state whereby the session is tracked via the query string.

Enable cookieless session tracking via web.config file:

<sessionState cookieless="true" />

Session Events

Trap session events via Global.asax file.

Two special events:

Choosing Session State Mode

Memory on server not always best or most scalable place to store session state.

ASP.NET provides several session management modes:

Configuring session state mode

Assign a SessionStateMode enumeration value to the sessionState element in the web.config file for the application. Modes other than InProc and Off require additional parameters, such as connection string values.

Can examine currently set session state via the System.Web.SessionState.HttpSessionState.Mode property.

ASP.NET 4 adds a compressionEnabled attribute that uses GZip to reduce size of session state.