A Session is defined as a session or the duration of
connectivity between a client and a server application. A Session object is
created and maintained on the web server and is unique to a user’s session of
communication with the web server. Note that an object must be serializable in
order to be persisted in the Session object.
When a Session starts, the browser sends a cookie with a
session identifier along with every request. The IIS web server uses this Session
ID to determine whether it belongs to an existing session. If none is found, a
Session ID (120 - bit string) is generated along with the request. The Session
ID persists as long as the browser session is alive even though the session
state expires after the specified timeout. Hence, the same session ID can
represent multiple sessions over time where the browser instance is the same.
Session State is a collection of objects that are stored in
the memory of the web server. But where is the Session State stored? In II5, Session State is stored in the memory of the process aspnet_wp.exe. In IIS6, by default
all applications share the same application pool, i.e. the session state is
stored in the memory of the process w3wp.exe. They are not isolated per
application basis, but instead per application pool (w3wp.exe).