Learn from this: how to correctly use session in ASP. NET

ASP. the session in net is much more flexible and powerful than the session in ASP. It is also much more complicated. See some asp. NET developers complain that the session is unstable and is lost inexplicably. In fact, this is ASP.. net.

 

We know that the biggest difference between a session and a cookie is that all cookie information is stored on the client, and the session only stores an ID on the client as a token for verification with the server, the real data is stored in the server memory.

 

In traditional WebProgramming LanguageIn (for example, Asp), session expiration is completely handled by timeout. The default timeout value is 20 minutes, but the problem is that many users only take a look at the webpage, then close the browser and leave. In this case, session data is stored in the server memory for a long time. If there are many users, server resources are undoubtedly a waste.

 

In ASP. NET, there are several session storage policies:

By default, the system uses the inproc mode, that is, the inprocess mode.

In this case, the session is stored in the memory mapped by the ASP. NET worker process. The problem is that the ASP. net worker process is often recycled by the system to maintain a good average performance. We can configure automatic recycle in IIS (for example, recycle by time, or recycle when the memory usage reaches the value), for example, configure the application in iis7ProgramInterface for Parameters of pool reclaim

 

When ASP. when the net workflow is recycled, all the mapped memory is cleared and initialized so that other programs can use it. Therefore, the session disappears, that's why sesssion disappears for no reason.

 

Of course, the default inproc mode is also the most performance mode. If you cannot tolerate this "unstable" mode, you can set the modeStateServerMode

 
<Sessionstate mode = "StateServer" stateconnectionstring = "TCPIP = 127.0.0.1: 42424"> </sessionstate>
 

In this case, the session will be stored outside the ASP. NET process.Aspnet_state.exeIn the process, this process is not affected by Asp.net process recycling.

However, you must note that the aspnet_state is run in the form of a Windows service. Therefore, make sure that the service has been started on the machine corresponding to 127.0.0.1.

In addition, we must also be aware that, although the session in StateServer mode will be much more stable, the performance is inferior to that in inproc (about 15% ~ About 25%), because the system needs to serialize the session value and save it to the memory mapped by the aspnet_state process. deserialization is required during read.

This mode has another advantage: If the IP address in TCPIP = 127.0.0.1: 42424 is specified as another server, the session can be saved on a machine other than the web server.

 

Session information can even be stored in the sqlserver database:

Enter the vs command line mode and enter the following command:

That isAspnet_regsql-s database instance name-ssadd-u connection username

Note: The database server must first start the SQL Server proxy service

After the command is run, an aspstate database is automatically created, and two tables aspstatetempapplications and aspstatetempsessions are created under the tempdb database.

The corresponding web. config configuration is:

 
<Sessionstate mode = "sqlserver" sqlconnectionstring = "Data Source = jimmyt61p; uid = sa; Pwd = ***"> </sessionstate>
 

Note: If you want to directly create a table in the database aspstate, add the parameter-sstype P in the command line, that is:

Aspnet_regsql-s database instance name-ssadd-Sstype P-U connection username

Similarly, when saving and reading session data in SQL Server mode, performance loss (about 25%) may occur in the inproc mode, but SQL Server can be used to persistently store session data.

 

Finally, let's take a look at the other two values in mode: off and custom.

Off is equivalent to disabling session.

Custom allows developers to define how to store sessions by themselves, which is equivalent to providing a programming development interface (I have never used it before, so I can't talk much about it, huh, huh)

 

Overall:

Inproc has the highest performance, but may cause the session to be lost for no reason. This mode cannot be applied to Web Server clusters or Server Load balancer scenarios (because session synchronization cannot be implemented between multiple servers ), stateServer and sqlserver can be used in Web server cluster scenarios, but their performance is degraded. If you want session persistence, sqlserver is the only built-in solution.

 

My personal experience:

In general, I tend to use cookies to reduce the consumption of server resources, but this also requires a balance, because the serverCodeTo obtain the client cookie, it means that the cookie file must be transmitted to the server through a browser, which also consumes network bandwidth.

In addition, in some blog systems, suchArticleIf you leave, and then continue writing, you will find that the session has expired when you save it. The page jumps to the logon page, but it has not been written for more than N words! At this time, you can use the code to maintain the session, that is, the heartbeat thought of the Qilin brother: let your website "Heartbeat" up, or use ajax to automatically save it every few minutes.

Furthermore, in terms of security, session forgery is much more difficult than Cookie forgery, which is safer.