Overview of State Management

Various State Management technique in ASP.NET

Session State
A cookie is very simple and is not suitable for sophisticated storage requirements.
Session state is a workaround for this problem and it gives a method to keep more complex
objects securely.
ASP.NET allows programmers to keep any type of objects in session.
Data stored in session will be kept in server memory and it is protected as it will never get
transmitted to a client.
Every client that uses the application will have separate sessions. Session state is ideal for storing
user specific information.
The following code shows storing a string value in session.

Session["name"] = "Kirti";

Values stored in sessions can be removed by several methods.

Session.Abandon()

Cancels the session and fires end event. This is used when you are done with the session.

Session.Clear() /Session.RemoveAll()

Clears all contents of the session. This will not end the session
Session.Remove(string)
Removes the session name supplied.

How Session Works?

ASP.NET maintains a unique id which is called as "session id" for each session. This id is
generated using a custom algorithm and it is unique always.
Session id will be sent to the client as a cookie and the browser resends this upon each request.
ASP.NET uses this session id to identify the session object.

string sessionId = Session.SessionID

If you haven't stored anything in the session, ASP.NET will generate a different session id for
each request.
Once a session has contents, the session id will not change. Session id is the only information
which is sent to the client about sessions.
As said before, ASP.NET sends session id in a cookie named ASP.NET_SessionId.
But this will not work if cookies are disabled by the visitor.
In such cases, ASP.NET passes session id through the URL.
This behavior can be controlled by adding the following section to web.config file under the
system.web section.

<sessionState
cookieless="UseUri" />

Session Timeout
Each session will have a timeout value (default 20Mins).
If the page is not getting any requests within the timeout limit specified, ASP.NET will assume
that the user has left the application and it immediately terminates the session and fires the End
event.
This helps the server to cleanup unused sessions and gives room for new requests.
Timeout value can be changed from web.config file or through code.
Timeout value is specified in minutes.

<sessionState
timeout="60" />
or
Session.Timeout = 60;

Session Timing out Frequently

Many questions from developers like, "My session timeout is 60 minutes and it
is timing out before that." Why ??
Well, ASP.NET will clear session when any of the following happens
ASP.NET worker process recycles frequently. When this happens, it will
clear all active sessions.
When files like web.config or application assemblies are modified,
ASP.NET will recyle the worker process.

Mode
Configuration
Storage
location
Description

InProc

<sessionState mode="InProc" />

ASP.NET processes memory area
This is the default session storage. Session
data will be kept in the server memory.

InProc mode is a high performant as it reads

from the same processes memory and it allows
you to keep all .NET types.
If session mode is not specified, ASP.NET will
use InProc as the default mode.
As the InProc mode keeps data in same
Processes memory area, any impacts
happened for the ASP.NET worker process
will affect the session data.

Description Pros/Cons

Mode
Configuration

StateServer

Storage
location
Description

Server memory as a seprate process

<sessionState>mode="StateServer">
stateConnectionString="tcpip=Yourservername:42424"
/>

StateServer mode provides a basic level of isolation for the

data storage.
It runs as a separate windows service and keeps the session data
out of ASP.NET process memory area.
To access session, ASP.NET process has to communicate with this
external process.

Description Pros/Cons

It is less performant compared to InProc mode.

But this helps you to avoid losing session data when ASP.NET
worker process restarts

Mode
Configuration

SQL Server

Storage
location
Description

In SQL server database

<sessionState mode="SQLServer"
sqlConnectionString="..."
/>

If you still need more resillient storage,

SQLServer mode is the choice.
It allows to keep session data in SQLServer.

Description Pros/Cons

This is helpful when your web application

is hosted in a webfarm.
Slow data access
Allows to store only serializable types

If any of the above discussed methods are not satisfying your storage requirements, ASP.NET
allows to specify a custom storage provider.

Application State
ASP.NET implements application state using the System.Web.HttpApplicationState
class.
It provides methods for storing information which can be accessed globally.
Information stored on application state will be available for all the users using the website.
Usage of application state is the same as sessions.
The following code shows storing a value in an application variable and reading from it.

Application["pageTitle"] = "Welcome to my website - ";

// Reading the value from application variable
string pageTitle;
if (Application["pageTitle"] != null)
pageTitle = Application["pageTitle"].ToString();

Understanding Session and Application Events

you should get a basic knowledge about the events associated with application and session.
These events can be seen in the global.asax file.

Application_Start This event executes when application initializes. This will execute
when ASP.NET worker process recycles and starts again.
Application_End Executes when the application ends.
Session_Start Executes when a new session starts.
Session_End Executes when session ends. Note : this event will be fired only if you are
using InProc as session mod.

A Practical Example
The most common usage of application variables is to count the active number of visitors that
are browsing currently.
We can utilize session_start and session_end events to do this.
The following code shows how this is done.

void Application_Start(object sender, EventArgs e)

{
// Application started - Initializing to 0
Application["activeVisitors"] = 0;
}
void Session_Start(object sender, EventArgs e)
{
if (Application["activeVisitors"] != null)
{
Application.Lock();
int visitorCount = (int)Application["activeVisitors"];
Application["activeVisitors"] = visitorCount++;
Application.UnLock();
}
}
You might have noticed Application.Lock() and Application.UnLock() calls.
ASP.NET is multithreaded and this is required to synchronize data when multiple visitors access
the site at the same time

Application state is not providing any timeout method like session.

Application state will be available until the application ends.
So one should be very careful when using application state. You should explicitly cleanup the
values stored when you are finished using it.

QueryString
This is the most simple and efficient way of maintaining information across requests.
The information you want to maintain will be sent along with the URL. A typical URL with a
query string looks like

www.somewebsite.com/search.aspx?query=foo
The URL part which comes after the ? symbol is called a QueryString.
QueryString has two parts, a key and a value. In the above example, query is the key and foo
is its value.
You can send multiple values through querystring, separated by the & symbol. The following
code shows sending multiple values to the foo.aspx page.

Response.Redirect("foo.aspx?id=1&name=foo");
The foo.aspx page will get the values like in the following table.
Key

Value

id
name

1
foo

The following code shows reading the QueryString values in foo.aspx

string id = Request.QueryString["id"];
string name = Request.QueryString["name"];
If you try to get a value which is not in the QueryString collection, you will get a NULL reference

Pros and Cons

Query string is lightweight and will not consume any server resources.
It is very easy to use and it is the most efficient state management technique. However, it has
many disadvantages.
You can pass information only as a string.

URL length has limitations. So you can't send much information through URL.
Information passed is clearly visible to everyone and can be easily altered.

If your website has large number of visitors and session timeout can cause
problem, It is better to change Session Mode Session="InProc" to
Session="StateServer".
Main Advantage of Session StateServer (Best to choose while hosting on third
party server)
1. Session is persistent and reliable.
2. Avoid Session Timeout due to Memory shortage on server (IIS Setting).
Main Disadvantage
1. Poor Performance compare to Session="InProc"
2. Session_End Event would not fire.
Now lets understand
Steps for changing Session InProc Mode to Session StateServer Mode.
Step 1: Start Asp.net State Servcie
1. Go to Control Panel > Administrative Tools > Services
2. Select Asp.Net State Service.
3. Right Click on Asp.net State Service and choose start from popup menu.

If you forget to Start Service you will receive following error.

Server Error in '/' Application.

Unable to make the session state request to the session state server. Please
ensure that the ASP.NET State service is started and that the client and
server ports are the same. If the server is on a remote machine, please
ensure that it accepts remote requests by checking the value of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\
AllowRemoteConnection. If the server is on the local machine, and if the
before mentioned registry value does not exist or is set to 0, then the state
server connection string must use either 'localhost' or '127.0.0.1' as the
server name.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.
Exception Details: System.Web.HttpException: Unable to make
the session state request to the session state server. Please ensure that the
ASP.NET State service is started and that the client and server ports are the
same. If the server is on a remote machine, please ensure that it accepts
remote requests by checking the value of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\
AllowRemoteConnection. If the server is on the local machine, and if the
before mentioned registry value does not exist or is set to 0, then the state
server connection string must use either 'localhost' or '127.0.0.1' as the
server name.

Step 2: Change Session Mode in Web.Config File

<sessionState mode="StateServer"
stateConnectionString="tcpip=127.0.0.1:42424"
cookieless="false"
timeout="120"/>
Note: You can adjust timeout minutes based on your requirement. Let the
tcpip server to be localhost i.e. 127.0.0.1. Most webhosting company uses
these settings unless you have different IP for StateServer and You are not
required to change Port Number.

Step 3: Make All Object Serializable

You should make all object in your website to serializable.
Note: To take advantage of Session StateServer or SQLServer or Custom Mode,
object needs to be serialized.
Example: If your project contains class files for creating DAL (Data Access
Layer), you should append Serializable to every class definition in order to
make class Serializable.

Understanding Serialization in C#
[Serializable]
Class Department
{
long
_deptId;
string _deptName;
public long DeptId
{
get {
return _deptId; }
set { _deptId = value; }
}
public string DeptName
{
get {
return _deptName; }
set { _deptName = value; }
}
}
IMPORTANT While doing Serialization
Remember SQLConnection cannot be serialized.
You might receive following error if you don't handle this situation.
Unable to serialize the session state. In 'StateServer' and 'SQLServer' mode,
ASP.NET will serialize the session state objects, and as a result nonserializable objects or MarshalByRef objects are not permitted. The same
restriction applies if similar serialization is done by the custom session
state store in 'Custom' mode.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.
Exception Details: System.Web.HttpException: Unable to serialize the session
state. In 'StateServer' and 'SQLServer' mode, ASP.NET will serialize the
session state objects, and as a result non-serializable objects or
MarshalByRef objects are not permitted. The same restriction applies if
similar serialization is done by the custom session state store in 'Custom'
mode.

So to handle this situation you need to do following thing.

1. Mark SQLConnection Object as NonSerialized
[NonSerialized] protected SqlConnection _mainConnection;
2. Mark your Class as Serializable and derive from IDeserializationCallback

Example:
[Serializable]
Class Department: IDeserializationCallback
{
long
_deptId;
string _deptName;
public long DeptId
{
get {
return _deptId; }
set { _deptId = value; }
}
public string DeptName
{
get {
return _deptName; }
set { _deptName = value; }
}
//Create this Method Inside your Class
void IDeserializationCallback.OnDeserialization(object sender)
{
//Recreate your connection here
_mainConnection = new SqlConnection();
_mainConnection.ConnectionString =
ConfigurationSettings.AppSettings["connStr"].ToString();
}
}

SQL Server Mode

The SQL Server mode option is similar to that of the Windows NT Service, except that the
information persists to SQL Server rather than being stored in memory.
To use SQL Server as our session state store, we first must create the necessary tables and
stored procedures that ASP.NET will look for on the identified SQL Server. The .NET SDK
provides us with a SQL script file that we will execute on SQL Server to setup the database
tables and stored procedures and then will use the database credentials in ASP.NET
Applications to start using SQL Server to manage the session states.
Why SQL Server Mode?
Once you start running multiple web servers for the same web site, the default asp.net
session state that is InProc will no longer be useful because you cannot guarantee that
each page request goes to the same server. It becomes necessary to have a central state
store that every web server accesses. SQL Server has a feature that offers you centralized
storage of a session state in a Web farm. You can use SQL Server to save a session.
SQL Server Mode Advantages
Storing session variables in the SQL server has the following advantages:

Scalability: If you are looking for a highly scalable option to store your session
variables, the SQL Server option is for you. It is a much more scalable option than the
others. Web farm architecture can very easily access the session variables because they are
stores in an independent database.

Reliability: Because the data is physically persisted in a database, it is is more

reliable than the other options. It has the ability to survive server restarts.

Security: SQL Server is more secure than the in-memory or state server option. You
can protect your data more easily by configuring SQL Server security.
The session state mode can be configured via a <sessionState> tag of the web.config file.
Now, this step-by-step article demonstrates how to configure Microsoft SQL Server for
ASP.NET SQL Server mode session state management.
Job 1: Configuring SQL Server to use ASP.NETs SQL Server Session State
Step 1: Find the sql script file installed by .NET SDK and execute it on SQL Server to setup
database.

Step 2: Double click above file to install it on SQL Server, after installation you will get
following database tables and stored procedures.

Now, we done with database setup, lets create a demo web application and will create
shopping cart like application and will let the user to add the products to cart and at the end
will show the product list to user. Think, if are developing e-commerce website that is using
multiple servers, then how will you manage the sessions, because session directly depends
on server and your website using multiple servers, in this case you will lose all the
sessions/products that user selected when jump to another server. No worries we are using

centralized server that is SQL Server to manage our sessions. Go ahead and setup a
website.
Job 2: Setup Web Application
At very first, lets modify our existing web.config file to use SQL Server Mode Sessions. To
do this add a connectionstring that will point tempdb database.
<connectionStrings>
<add name="tempdbConnectionString1" connectionString="Data Source=ITORIAN-PC1;Initial
Catalog=tempdb;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>

And then, modify the <sessionState> section so that it looks like

<sessionState mode="SQLServer" customProvider="DefaultSessionProvider">
<providers>
<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionState
Provider, System.Web.Providers, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35"connectionStringName="tempdbConnectionString1" />
</providers>
</sessionState>

You can notice the mode attribute in above code that is using SQLServer. Once you done,
lets setup website pages.
Case Study: We will create two pages in our website, one will show the product list and
another will show the selected products, will call those pages by name Products.aspx and
Cart.aspx. Ill be using Northwind database in this project.
Products.aspx Code
<div>
<asp:GridView ID="GridView1" runat="server"
AllowPaging="True" AutoGenerateColumns="False" DataSourceID="SqlDataSource1"
Width="48%" OnSelectedIndexChanged="GridView1_SelectedIndexChanged"
PageSize="5">
<Columns>
<asp:BoundField DataField="ProductName"
HeaderText="ProductName"
SortExpression="ProductName" />
<asp:BoundField DataField="UnitPrice"
HeaderText="UnitPrice"
SortExpression="UnitPrice" />
<asp:CommandField SelectText="Add to cart"
ShowSelectButton="True" />
</Columns>
</asp:GridView>
<asp:HyperLink ID="HyperLink1" runat="server"
NavigateUrl="~/Cart.aspx" Font-Bold="True"
Font-Size="Large">I'm Done, show products</asp:HyperLink>
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:NorthwindConnectionString1 %>"
SelectCommand="SELECT [ProductName],

[UnitPrice] FROM [Products]

ORDER BY [ProductName]"></asp:SqlDataSource>
</div>
Products.aspx.cs
protected void GridView1_SelectedIndexChanged(object sender, EventArgs e)
{
DataSet ds = null;
if (Session["sCart"] == null)
{
ds = new DataSet();
DataTable dt = new DataTable();
dt.Columns.Add(new DataColumn("ProductName"));
dt.Columns.Add(new DataColumn("Qty", typeof(System.Int32)));
ds.Tables.Add(dt);
Session["sCart"] = ds;
}
else
{
ds = (DataSet)Session["sCart"];
}
DataRow row = ds.Tables[0].NewRow();
row["productname"] = GridView1.Rows[GridView1.SelectedIndex].
Cells[0].Text;
row["Qty"] = 1;
ds.Tables[0].Rows.Add(row);
}

Cart.aspx Code
<div>
<asp:GridView ID="GridView1" runat="server"
AutoGenerateColumns="False" Width="48%">
<Columns>

<asp:BoundField DataField="productname"
HeaderText="Product Name" />
<asp:BoundField DataField="qty"
HeaderText="Quantity" />
</Columns>
</asp:GridView>
</div>
Cart.aspx.cs Code
protected void Page_Load(object sender, EventArgs e)
{
GridView1.DataSource = (DataSet)Session["sCart"];
GridView1.DataBind();
}

Now, you looked at some practical uses of the title.

Disadvantages of Storing the Session State in SQL Server
Though storing the session state in SQL server makes your Web site more scalable and
reliable, it has some disadvantages of its own:

Performance: In terms of performance, a SQL Server-based session store is possibly

the slowest option. Because your session variables are stored in a physical database, it
takes more time to get them in and out of the database. This affects the performance of
your Web site.

Cost: Because you are storing your data in a SQL Server database, you need to have
a SQL Server license. This can add to overall cost of your Web site.

Serializable data: This method requires that all the data stored in session variables
must be serializable. This may force you to mark your own classes as [Serializable] if you
want to store them in a session.