ASP.NET Session

An ASP.NET Session is the lifetime of visiting user agent when the visiting user agent initiate the first request on a page from an ASP.NET of  web server. In general, a Session object is maintained for this specific user agent until there is no further request from this specific user agent during session timeout period.

Session State

HTTP is a stateless protocol, therefore a web server always consider each HTTP request for a page as an independent request. In other words, the web server does not retains the information related to the session of a specific user agent.

The ASP.NET platform uses an instance of the HttpSessionState class to save values by using session state. Session state is structured as a key/value dictionary for storing session-specific information that needs to be maintained during the session of a specific user agent. In an ASP.NET page, the current session variables are exposed through the Session property of the Page object. The collection of session variables is indexed by the name of the variable or by an integer index.

Session Identifiers

Sessions are identified by a unique identifier which can be get from the SessionID property of HttpSessionState Class.

When session state is enabled for an ASP.NET application, each request for a page in the application is examined for a SessionID value sent from a user agent. If no SessionID value is supplied, ASP.NET starts a new session and the SessionID value for that session is sent to the user agent with the response. By default, SessionID values are stored in a cookie. However, the application is configured to store SessionID values in the URL for a "cookieless" session. A session is considered active as long as requests continue to be made with the same SessionID value. If the time between requests for a particular session exceeds the specified time-out value in minutes, the session is considered expired. Requests made with an expired SessionID value result in a new session.

Cookie

By default, the SessionID value is stored in a non-expiring session cookie in the user agent. However, the session identifiers can also not be stored in a cookie by setting the cookieless attribute to true in the sessionState section of the Web.config file. ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page's URL.

When ASP.NET sends a page to the browser, it modifies any links in the page that use an application-relative path by embedding a session ID value in the links. (Links with absolute paths are not modified.) Session state is maintained as long as the user clicks links that have been modified in this manner. However, if the client rewrites a URL that is supplied by the application, ASP.NET may not be able to resolve the session ID and associate the request with an existing session. In that case, a new session is started for the request. The session ID is embedded in the URL after the slash that follows the application name and before any remaining file or virtual directory identifier. This enables ASP.NET to resolve the application name before involving the SessionStateModule in the request.

By default, the session ID values that are used in cookieless sessions are recycled. That is, if a request is made with a session ID that has expired, a new session is started by using the SessionID value that is supplied with the request. This can result in a session unintentionally being shared when a link that contains a cookieless SessionID value is used by multiple browsers. (This can occur if the link is passed through a search engine, through an e-mail message, or through another program.) You can reduce the chance of session data being shared by configuring the application not to recycle session identifiers. To do this, set the regenerateExpiredSessionId attribute of the sessionState configuration element to true. This generates a new session ID when a cookieless session request is made with an expired session ID.

Besides, a custom class can also be implemented to supply and validate SessionID values.

Session Modes

ASP.NET session state supports several storage options for session variables. Each option is identified as a session-state Mode type. The types of session modes are

• InProc mode, which stores session state in memory on the Web server. This is the default.
• StateServer mode, which stores session state in a separate process called the ASP.NET state service. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.
• SQLServer mode stores session state in a SQL Server database. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.
• Custom mode, which enables you to specify a custom storage provider.
• Off mode, which disables session state.

Session Events

ASP.NET provides two events that help you manage user sessions. The Session_OnStart event is raised when a new session starts, and the Session_OnEnd event is raised when a session is abandoned or expires. Session events are specified in the Global.asax file for an ASP.NET application. The Session_OnEnd event is not supported if the session Mode property is set to a value other than InProc, which is the default mode.

Concurrent Requests and Session State

Access to ASP.NET session state is exclusive per session, which means that if two different users make concurrent requests, access to each separate session is granted concurrently. However, if two concurrent requests are made for the same session (by using the same SessionID value), the first request gets exclusive access to the session information. The second request executes only after the first request is finished. (The second session can also get access if the exclusive lock on the information is freed because the first request exceeds the lock time-out.) If the EnableSessionState value in the @ Page directive is set to ReadOnly, a request for the read-only session information does not result in an exclusive lock on the session data. However, read-only requests for session data might still have to wait for a lock set by a read-write request for session data to clear.

References

• https://docs.microsoft.com/en-us/previous-versions/75x4ha6s%28v%3dvs.140%29
• https://docs.microsoft.com/en-us/previous-versions/ms178581(v=vs.140)
• https://docs.microsoft.com/en-us/previous-versions/ms178586%28v%3dvs.140%29
• https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.page.session?view=netframework-4.8
• https://docs.microsoft.com/en-us/dotnet/api/system.web.httpresponse.cookies?view=netframework-4.8
• https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcontext.session?view=netframework-4.8