Session state in ASP.NET can be stored in one of the
following three ways.
Session state can be configured using the
<sessionState> section in the application's web.config file. Hence, we
can increase the default Session timeout value to our desired value using the
following statement in the web.config file.
The above statement doubles the Session Timeout value from
20 minutes to 40 minutes. Note that the Session Timeout value is a Sliding
The following is the complete syntax for specifying Session State in the web.config file using the mode attribute.
<sessionState mode = <"inproc" | "sqlserver" | "stateserver">
cookieless = <"true" | "false">
timeout = <positive integer indicating the session timeout in minutes>
sqlconnectionstring = <SQL connection string that is only used in the SQLServer mode>
server = <The server name that is only required when the mode is State Server>
port = <The port number that is only required when the mode is State Server>
The following section discusses each of the settings shown
in Listing 1 earlier, in detail.
Mode: This setting supports three
options. They are inproc, sqlserver, and stateserver. As stated earlier,
ASP.NET supports two modes: in process and out of process. There are also two
options for out-of-process state management: memory based (stateserver) and SQL
Server based (sqlserver).
Cookieless: This setting takes a
boolean value of either true or false to indicate whether the Session is a
Timeout: This indicates the Session
timeout vale in minutes. This is the duration for which a user's session is
active. Note that the session timeout is a sliding value; on each request the
timeout period is set to the current time plus the timeout value.
SqlConnectionString: This identifies
the database connection string that names the database used for mode sqlserver.
Server: In the out-of-process mode
stateserver, it names the server that is running the required Windows NT
Port: This identifies the port
number that corresponds to the server setting for mode State Server. Note that
a port is an unsigned integer that uniquely identifies a process running over a
Storing Session State in the InProc Mode
The InProc mode of Session State storage is the fastest
among all of the storage modes available and stores the Session data in the
ASP.NET worker process. In this case, if the amount of data that is stored in
the Session is large, performance would be drastically affected. In the InProc
mode of Session state storage, the session state is stored in the memory space
of an application domain and is volatile. In this case, the session state will
be lost if the ASP.NET worker process named aspnet_wp.exe recycles or if the
application domain restarts. The Session State here entirely depends on the
lifetime of the application domain that it runs on. Note that the Session_End
event which is fired internally by the web server is supported only in InProc
mode. Note that even if the Session State is set to read only using the EnableSessionState
attribute, in the InProc mode one can still modify the session. The Session_OnEnd
event is invoked by the runtime environment when we make a call to the
Session.Abandon() method or when the user's session times out. Further, any
change made in the settings in the web.config file unloads the application
domain and the Session State too.
Storing Session State in a State Server
The StateServer mode uses a stand-alone Microsoft Windows
service that is independent of IIS and can run on a separate server. In the
State Server mode of Session State storage, the session state is serialized and
stored in memory in a separate process that is managed by the aspnet_state.exe
file. Note that State Server can be on a different system. This storage mode has
some performance drawbacks due to the overhead involved in serialization and
de-serialization of objects. Note that the ASP.NET State Service is like any
other NT/2000 service and runs as its own process and has its own memory space.
The following is the required setting in the web.config file
to store the Session State in the State Server mode.
sqlConnectionString="data source=127.0.0.1;user id=joydip;password=joydip"
The primary advantage of storing the Session State in a State Server is that it is not in the same process as the ASP.NET and a crash of
ASP.NET would in no way destroy the session data. Secondly, this mode of Session State storage enables to share the information across a web garden or a web farm.
The main disadvantage, however, is that this mode is slow
compared to the InProc mode as it is stored in an external process.
Storing Session State using SQL Server
The SQL Server mode of Session State storage offers a
reliable, secure and centralized storage of a session state with transactional
facilities. In this storage mode, the Session data is serialized and stored in
a database table in the SQL Server database. It can typically be used in the
web farms. In the SQL Server mode of Session State storage, the session state
is serialized and stored in the SQL Server. It has performance bottlenecks as
in the State Server mode of Session State storage due to the overhead involved
in serialization and de-serialization of the objects that are stored and retrieved
to and from the Session. SQL Server is more secure than the InProc or the State
server modes of Session State storages as the data can be secured easily by
configuring the SQL Server security.
The InstallSqlState.sql file has to be located in the system
and executed. This would create the necessary database and tables in the
tempdb database to store the Session data. To remove all the databases and the
tables created earlier using the InstallSqlState.sql file, the
UninstallSQLState.sql file can be used. The web.config file has to be modified
accordingly. The following is the required setting in the web.config file to
store the Session State in the SQL Server mode.
sqlConnectionString="data source=server;user id=joydip;password=joydip"
cookieless="false" timeout="20" />
Okay, but which one should I choose?
So, which one to choose? Which Session state storage mode
is the best? We have to choose between speed, reliability, security and
For sites that run in a single server, the InProc storage
mode in the best. It is the fastest of all the three modes, but it has its own
limitations. The major problem is that it is volatile. In the InProc mode of
storage, the durability of the data that is stored in the Session State is dependent on the life time Application Domain that the application runs in. Once the
Application Domain restarts or shuts down, the Session is lost. In a
production environment, the InProc mode of Session State storage is not
feasible. When we have to go for WebFarms, the OutProc mode is the best;
especially when the traffic is heavy on the site. The SQLServer mode of
storage is suited when we need to secure the Session data or when we require
scalability and reliability, but it takes more time to store and retrieve data
to and from the database table. We have to decide the right type of Session
state storage mode based on the context by choosing between speed, scalability,
Sharing Session State between Classic ASP and ASP.NET
ASP and ASP.NET sessions are not easily shareable. Sharing
session state between Classic ASP and ASP.NET can be possible through one of
the following ways:
Storing the data in a common database or in the cookies
Passing the data from one page to another page using query
Using a 3rd party component for sharing session data