Session

ASP.NET Session state provides a place to store values that will persist across page requests. Values stored in Session are stored on the server and will remain in memory until they are explicitly removed or until the Session expires.

State management using session is one of the best ASP.NET features, because it is secure, transparent from users, and we can store any kind of object in it. Along with these advantages, sometimes session can cause performance issues in high traffic sites because it is stored in server memory and clients read data from the server.

Storing and retrieving a value in the Session is as simple as:

VB:

VB.NET

'Storing Name in Session
Session("Name") = "John Doe"  'Or Session.Add("Name","John Doe")
'retrieving string
Dim Name As String = Session("Name")

C#:

C#

//Storing Name in Session
Session["Name"] = "John Doe" // Or Session.Add("Name","John Doe");  
//retrieving string
Name = (string)Session["Name"]; 

By default, the Session will be created within the same process that your web site runs in (InProc). This is controlled by a setting in the web.config file:

C#

<sessionState mode="InProc" />

Although running the Session In Process is very convenient, it does mean that all Session values will be lost whenever the application recycles (such as when deploying updates). There are alternate modes you can use that will allow the Session state to survive even when the application recycles. The available options are:

• Off - No session state will be stored
• InProc - (The Default) Session state exists within the process the web is using
• StateServer - Session data is sent to the configured stateserver service
• SQLServer - Session data is store in the configured SQL Server database

Both the StateServer mode and the SQLServer mode allow Session state to survive an application recycle. But, when storing reference type objects (such as class instances), they can only be stored to StateServer or SQLServer if they have been marked with the Serializable attribute.

There are certain events in Global.asax file associated with Session, Session_Start and Session_End.

The Session_End event only fires in InProc, it does not support session management implemented with OutProc.

An important consideration for using Session state is that the Session does expire. By default, if a user does not access their Session data within 20 minutes (by default), the Session will expire and all items that had been stored in the Session will be discarded. Because of this, it is important to check the object that is returned from the Session to see if it exists or if it is null before you try to work with it. For example:

C#

object sessionObject = Session["someObject"];
if (sessionObject != null) {
 myLabel.Text = sessionObject.ToString();
}

The Session Timeout is adjustable through a web.config setting but increasing the timeout value can put memory pressure on your server that may be undesirable.

C#

<sessionState timeout="number of minutes" />

Other commonly used Session methods are:

• Session.Abandon() - removes the Session and all items that it contains
• Session.Clear() - removes all items from the Session
• Session.RemoveAll() - removes all items from the Session
• Session.Remove("itemName") - removes the item that was stored under the name "itemName"

How To

• ASP.NET Session State Overview - Start here with this excellent MSDN Documentation
• Using Session and Application Objects in ASP.NET
• Selecting the Method for Maintaining and Storing ASP.NET Session State
• Taming the Stateless Beast: Managing Session State Across Servers on a Web Farm
• ASP.NET Session State FAQ - From Peter Bromberg: "Below is a quick summary of the different modes of session state, followed by a list of FAQ's, compiled from several sources, including my own "discoveries"
• How to use ASP.NET session state SQL Server Mode in a failover cluster - "This article describes the information that you must have to configure a Web server cluster to use the SQL session state that runs in a failover cluster."

Whitepapers/Blogs

• State Management - Good blogged overview of the decision-making process, advantages and disadvantages of storing state in various places.
• State Management and ASP.NET - A good basic white paper enumerating your various options for state management.
  KB: ASP.NET State Management Overview - A dry but fairly thorough KB article on session state.
• Microsoft ASP.NET 2.0 Providers: Introduction and Session State Providers - "Session state providers provide the interface between Microsoft ASP.NET's session state module and session state data sources." The MSDN documentation is a good place to start if you plan on writing your own, or if you just want to understand one of the existing providers.
• This is a short section in MSDN that offers insight into a couple of obscure details that might be of interest.
• Fast, Scalable, And Secure Session State Management For Your Web Applications - An excellent article from MSDN magazine on the ASP.NET session state architecture.
• Architectural And Performance Considerations - A very thoughtful blog post that can help you decide which session provider to use.
• Exploring Session in ASP.Net - Code Project: This article describes about session in ASP.NET 2.0. Different Types of Session, their configuration. Also describes Session on Web Farm, Load balancer, web garden, etc.

Enjoy!