Web Form Web pages are HTTP-based, they have no state, which means they don't know whether all requests come from
On the same client computer, the Web page is compromised, and if it is refreshed, it can cause information
Lost. As a result, state management becomes a real problem in developing Web applications.
These problems can be easily solved by using cookies, query strings, applications, sessions, etc. in ASP.
Now in the ASP. NET environment, we can still use these features, and the functionality is more powerful.
State management is divided into two cases: server and client, and this is just about server state management.
Unlike the Application object, an ASP. NET Session object can be used when the IIS server or worker process restarts
Restores the pre-boot state without losing the data. This is because the information stored in the session is stored by default in the
A state server process that is running as a Windows service. The state can be serialized and stored in memory in binary form.
Programmers can suspend the use of Microsoft SQL Server databases to store data.
The state Server service and state information can exist on the same server as the Web application, or it can be saved to an external
On the state server. To specify how information is stored, programmers can write the appropriate configuration in the Web. config file.
Asp. NET session state module in the Web. config file <System.web> tag under the <Sessionstate> tag's mode property to determine
The four possible values for this property are: Off, Inproc stateserver, and SQL Server.
1 InProc is the default setting
InProc (default, in-process session state): Session is stored in the IIS process (Web server memory). If you are using Windows Server or Windows Xp,iis using the Aspnet_wp.exe process, use w3wp.exe if you are using Windows 2003 Server,iis.
InProc has the best performance. However, it is easy to lose session information during the session. If you restart the application, all session information will be lost. There are many reasons for a restart of the ASP.
The Web. config or Global.asax file was modified, or the file modification date was changed.
Modified the files in the/bin or/app_code directory.
Anti-virus software modified the above files and so on
It allows "cookie-free" sessions, as well as storage outside the server
Session data. Asp. NET session state module is configured in the Web. config file as follows:
<sessionstate mode= "InProc" cookieless= "false" timeout= "/>"
In this example, the Mode property is set to InProc (the default), which indicates that the session state is to be stored in memory by ASP.
No cookie is used to pass the session ID. Instead, the session ID is inserted directly into the query string of a Web page URL. For example, using
After inproc the mode and establishing a session, invoking an imaginary ASP. NET page requires the following URL:
http://my.website.com/(12MFJU55VGBLUBJLWSI4DGJQ)/education.aspx
Long letters and numeric strings in parentheses are the session IDs. Asp. NET engine extracts the session ID from the query character and adds the user
Requests are linked to a specific session. In this way, no cookie or hidden form fields are unnecessary.
So, even if you don't use a form in your Web page, you can join a conversation.
But this way, the state of the application will depend on the ASP. NET process, when the IIS process crashes or restarts normally, save the
The status in the process is lost.
2 Mode property is set to Off
Like the previous ASP, ASP. NET session state management is to incur overhead. So, if a webpage doesn't need access
Session object, the developer should set the page precompiled Directive's EnableSessionState property to False.
To disable session state for the entire Web site, you can set the Mode property of the sessionstate element to off in the Web. config file.
To overcome the drawbacks of the InProc model, ASP. NET provides two ways to save session state outside of the process.
3 StateServer Session Management
Set the Mode property to StateServer, which is to store session data in a separate memory buffer and run on a separate machine
Windows services to control this buffer. The full name of the status service is "ASP." (Aspnet_state.exe),
It is configured by the stateConnectionString property in the Web. config file. This property specifies the server on which the service resides, and the
Port of view:
<sessionstate mode= "StateServer"
Stateconnectionstring= "tcpip=myserver:42424"
Cookieless= "false" timeout= "/>"
In this example, the State service runs on port 42424 (the default port) of a machine named MyServer. To change on the server
Port, you can edit the port value in the Hklm/system/currentcontrolset/services/aspnet_state registry key.
Obviously, the advantage of using a state service is process isolation and can be shared in a Web farm. With this mode, session state storage will not
Depending on the failure or restart of the IIS process, all session data will be lost once the state service is aborted. In other words, the state service does not
The data is persisted as SQL Server does, and it simply stores the data in memory.
4 Session Management with SQL Server
Asp. NET also allows session data to be stored in a database server by turning the Mode property into SQL.
In this case, ASP. NET attempts to store session data in the sqlConnectionString attribute (which contains the data source and the logon service
Security credentials required by the server.
In order to configure SQL erver with the appropriate database objects, the administrator also needs to create the ASPState database.
Method is to run the Installstate.sql script in the Windir/microsoft.net/framework/version folder (windir is the service
Windows folder, and version is the installation folder for the. NET Framework version you are using.
To configure a SQL Server, you can run SQL Server-provided command-line tools on the command line Osql.exe
osql-s [Server name]-u [user]-p [Password] <installsqlstate.sql
For example
Osql-s (local)/netsdk-u sa-p ""-I InstallSqlState.sql
Here the user name must be the SA account on the SQL Server, or another account with equivalent permissions. Interested readers can open the
This script file to understand how ASP. NET implements state management with SQL Server.
To unload these tables and stored procedures, you can use the UninstallSqlState.sql script, similar to the previous method.
After you have done the necessary database preparation, change the mode of the sessionstate element in the Web. config file to "SQL Server"
, and specify the SQL connection string. Specific as follows:
mode= "SQL Server"
sqlconnectionstring= "Data source=127.0.0.1; Userid=sa; Password= "
When SQL Server is configured, the application code runs with no difference from InProc mode. However, it is important to note that since the data does not exist
stored in local memory, so objects that store session state need to be serialized and deserialized to pass the network to the database server.
and returned from the database server. This will of course affect performance. By storing session state in the database, you can individually target scalability and reliability
To effectively balance performance. In addition, you can leverage the SQL Server cluster so that the state store does not depend on a single SQL Server,
This provides maximum reliability for the application.
1. Understanding Session state Mode
Storage location
Inproc:session stored in the server as an active object (aspnet_wp.exe)
The stateserver:session is serialized and stored in a separate aspnet_state.exe memory. StateServer can run on a different server
Sqlserver:session is serialized and saved in SQL Server
Performance:
InProc: The fastest, but the more session data, the more memory is consumed on the Web server, and it can affect performance.
StateServer: When storing data for a base type, such as String,integer, it is 15% slower than InProc in the same test environment. If you store a large number of objects, serialization and deserialization can affect performance
SQL Server: When storing data for a base type, such as String,integer, it is 25% slower than InProc in the same test environment. It also has the same serialization performance issues as StateServer.
Performance tips for Out-of-proc (OOP, non-inproc) mode
If you use OOP mode (that is, StateServer or SQL Server), serializing and deserializing objects in the session state will be one of your primary performance costs. For basic types, ASP. NET completes serialization and deserialization through an internal optimization method. (Basic types include all numeric types (such as int, Byte, decimal,string, DateTime, TimeSpan, Guid, IntPtr, UIntPtr, etc.))
If you have a session variable (such as a ArrayList object), and it is not a basic type, ASP. NET will use BinaryFormatter for serialization and deserialization, which can be relatively slow.
Therefore, for performance reasons, it is best to use the basic types listed above to store all session state data. For example, if you need to store two things, names and addresses, in the session state you can either use two string session variables to store them, or (method B) Create a class containing two strings to hold them. This class object is then saved in a session variable. For performance reasons, you should choose method A.
To further understand this topic, see a question in the FAQ: "How serialization and deserialization works in SQL Server and StateServer mode"
Robustness
InProc: Session state is lost if the worker process (aspnet_wp.exe) is being recycled or the application domain (appdomain) restarts. This is because the session state is stored in the memory space of an application domain. Modifications to configuration files (such as Web. config and machine.config) or any changes to the/bin directory (such as a new DLL created after you use VS to compile the application) can cause a restart, see KB324772 for details. In 1.0, there is also a bug that could cause the worker process to restart, but this bug has been fixed in 1.1, see KB321792.
If you are using IIS6.0, you can find the application Pools/defaultapppool in IIS Manager, where you can see the Recycle (Recycling) tab and Performance (Performace) Whether there are parameters in the tab that cause the IIS worker process (W3svc.exe) to stop working.
For more information about application resource recycling, you can read my other FAQ:
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=232621
StateServer: resolves the session state loss problem in InProc mode. Allows a webfarm to store the session in a central server. The failure can only occur on the state server.
SQL Server: similar to StateServer. The session state data is still retained after SQL Server restarts, and you can follow KB311209 steps to use SQL Server failover cluster
Warning
InProc: It cannot work in Web garden mode because there will be multiple aspnet_wp.exe running on the same machine in this mode. It is recommended that you use the Web garden to switch to state Server or SQL Server. The Session_End event is supported only in InProc mode.
StateServer
-In a Web farm, make sure that you have the same <machineKey> on all Web servers. KB313091 describes how to set it up.
-Make sure that your object is serializable. See KB312112
-In order to maintain a Web site application path (such as/LM/W3SVC/2) in the session State,iis metabase on different Web servers in the Web farm, it should be consistent (case sensitive) on all servers. See KB325056
Sql server
-There is a bug in 1.0, if you specify integrity security (such as "trusted_connection=true" or "Integrated Security=sspi") in the connection string, And you open the identity emulation of ASP, it will not work. This problem is described in KB324479, and unfortunately the description and reason in this document is partly wrong. However, there is already a QFE fix for it, and this fix will be included in 1.0 SP3. This problem has been fixed in 1.1.
-Please make sure your object is serializable, otherwise your request may be suspended, see KB312112. The hang problem with SQL Server mode has been fixed in 1.1, and the KB324479 QFE fix also fixes the problem. 1.0 SP3 also fixed the problem.
-In order to maintain a Web site application path (such as/LM/W3SVC/2) in the session State,iis metabase on different Web servers in the Web farm, it should be consistent (case sensitive) on all servers. See KB325056
Other resources
Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/aspnetsessionstate.asp
Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/CachingArchch2.asp
Http://www.411asp.net/home/tutorial/specific/web/sessions
2. FAQ questions List
Q:session State works on some browsers, while others do not. Why is it?
Q: In InProc mode, why do I sometimes lose all the sessions?
Q:session State works on some Web servers, but does not work on other servers.
Q: Why is session state unavailable?
Q: Why is session_end not triggered?
Q: Why are my session variables frequently lost when using InProc mode?
Q: Why does the SessionID remain unchanged after the session has been timed out or deleted?
Q: Why SessionID every request will change
What's the difference between Q:session.abandon () and Session.clear ()
is the timeout property of q:session a sliding timeout value?
Q: Can I share a session between ASP.
Q: Can I share session state between a Web application (such as a virtual directory or an IIS application)?
Q: What types of objects can be stored in the session state?
Q: Why did my request hang after switching to SQL Server mode?
Q: Why do Response.Redirect and Server.Transfer not work in Session_End?
Q: In Session_End, can I get a valid HttpSessionState object and HttpContext object?
Q: How do I use the session in a Web service?
Q: I am writing a httphandler, why does the session Stae not work?
Q: I am using the Web farm, and whenever I redirect to another server, the session state is lost?
Q: How do I redirect from an HTTP page to an HTTPS page if I use cookieless?
Does the q:session state have a lock mechanism to arrange the order of access to the session?
Q: How do I detect that a session expires and then redirect to another page
Q: In Session_End, I tried to use SQL to do some cleanup work, but failed, ask why?
Q: I am using SQL Server mode, why my session will not expire
Q: I have a frameset page with an HTM extension, and I find that each frame contained in it has a different sessionid on the first request, which is why?
Q: I set the EnableSessionState to ReadOnly, but in InProc mode, I can still modify the session, why?
Q: I set cookieless to True, the session variable is lost after redirect, why?
Q: What are the drawbacks of setting cookieless to True
Q: In InProc mode, I programmatically changed the session timeout time, it triggered the session_end, why?
Q: In SQL Server mode, can I save the session state in a database other than tempdb?
Q: How do I prevent the unencrypted string from being put in my connection string summary?
Q: What SQL permissions do I need when I use SQL Server mode?
Q: Can I write my own custom session state mode?
Q: How does serialization and deserialization work in SQL Server or StateServer mode?
Q: How can I make my state server more secure?
Q: Can I subscribe to the Sessionstatemodule.end event using a handler in a non-global.asax?
Q: Can different applications save their session state in a different database on the same SQL Server?
Q:session State works on some browsers, while others do not. Why is it?
A: It is estimated that you are not using cookieless and you must ensure that your browser supports cookies. Please refer to this copy of the kb:http://support.microsoft.com/default.aspx?scid=kb; en-us;q316112
Q: In InProc mode, why do I sometimes lose all the sessions?
A: See Understanding the Robustness section of the session state mode
Q:session State works on some Web servers, but does not work on other servers.
A: May be the problem of machine name, see http://support.microsoft.com/default.aspx?scid=KB; en-us;q316112
Q: Why is session state unavailable?
A:
-First, check the Web. config, machine.config, and Page tabs to confirm that you have session state enabled
Resources:
Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconsessionstate.asp
Http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/cpconpage.asp
-Please note that the session state is not available anywhere, at any time, and it will only work after the Httpapplication.acquirerequeststate event. For example, the session state is not available in the Application_onauthenticaterequest handler in Global.asax
-Make sure that System.Web.SessionState.SessionStateModule is included in the < httpmodules> section of the configuration file. A common example is that, for performance reasons, the SharePoint application removes the module from the Web. config file, resulting in the session not being available
Q: Why is session_end not triggered?
A: This is one of the most common problems
1. Keep in mind that Session_End is only available in InProc mode
2. Close the browser, Session_End will not be triggered. HTTP is a stateless protocol, and the server has no way of knowing if your browser is closed.
3. Session_End triggers when there is no action or call Session.Abandon for n minutes (n=timeout value)
4. For scenario 1, Session_End will be triggered by a background thread, which means:
A. The code in Session_End runs with the worker process account, and if you access resources such as a database, you may have permissions issues.
B. If an error occurs in Session_End, the program will not notify you of what happened
5. For Case 2, the session state must exist first in order for the session_end to trigger. This means that you have to store some data in the session state and have completed at least one request
6. For Case 2, the session_end is only triggered when the discarded Session is found. In this case, if you create and discard a session in the same request, it will not be found because the session is not saved, and Session_End won't be called. This is a bug in v1.0 and v1.1.
Q: Why are my session variables frequently lost when using InProc mode?
A: May be caused by application resource recovery, see Http://support.microsoft.com/default.aspx?scid=kb;en-us; Q316148
There is a bug in v1.0 that could cause worker processes to restart. Fixed in v1.1 and V 1.0sp2. See http://support.microsoft.com/default.aspx?scid=KB; en-us;321792
For more information about application resource recycling, see my other article: faqhttp://www.asp.net/forums/showpost.aspx?tabindex=1&postid=232621
Q: Why does the SessionID remain unchanged after the session has been timed out or deleted?
A: Although the session state expires after the timeout period, SessionID will remain until the browser session expires, that is, an identical SessionID can have multiple session timeouts, but always corresponds to an identical browser instance.
Q: Why SessionID every request will change
A: If your application has never stored data in the session state. In this case, each request will create a new session state (the ID is also new), but it will not be stored because there is no data in it.
However, there are two exceptions that may produce the same session ID
-If the user uses the same browser instance to request another page using session state, then each session ID you get is the same. See "Why does the SessionID stay the same after the session is timed out or deleted?" ”
-If the Session_OnStart event is used, ASP. NET will save the session state even if the session is empty.
What's the difference between Q:session.abandon () and Session.clear ()
A: The main difference is that if you call Session.Abandon (), Session_End will be triggered (applicable only under Inprocxi), and Session_Start triggered in the next request. The Session.clear () only clears the data, but does not delete the session.
is the timeout property of q:session a sliding timeout value?
A:session timeout is a sliding expiration time, meaning that once your page accesses the session state, the expiration time is shifted. Note that as long as the page is not disabled, the page automatically accesses the session when requested
Q: Can I share a session between ASP.
A: No, you can't. But there is an article about how to get around the problem: http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/ConvertToASPNET.asp
There are, of course, some third-party solutions.
Q: Can I share session state between a Web application (such as a virtual directory or an IIS application)?
A: No.
Q: What types of objects can be stored in the session state?
A: This is determined by the mode you use.
-If you are using InProc mode, the object stored in the session state is a live object, then you can store any objects you create
-If you are using SQL Server or state server mode, object objects in session state will be serialized and deserialized when processing a request, so make sure that your objects are serializable, and that their classes are serializable. If not, the session state will not be stored successfully. In v1.0, there is a bug that when this problem occurs, if you use SQL Server mode, the request may be suspended without your knowledge. The pending issues have been fixed in v1.1 and v1.0 SP3. KB324479 's QFE fix also contains fixes for this issue.
For more information, see: Http://support.microsoft.com/directory/article.asp?ID=KB; en-us;q312112
Q: Why did my request hang after switching to SQL Server mode?
A: See the question "What types of objects can I store in session state?" The answer
Q: Why do Response.Redirect and Server.Transfer not work in Session_End?
The a:session_end is triggered inside the server and is based on an internal timer. Therefore, when an event is triggered, it is not related to any HttpRequest object. That's why Response.Redirect and Server.Transfer don't work.
Q: In Session_End, can I get a valid HttpSessionState object and HttpContext object?
A: You can get HttpSessionState object, you can use ' Session ' to access the object. But you can't access HttpContext because this event has nothing to do with the request.
Q: How do I use the session in a Web service?
A: In order to use some tricks on the caller, you must save the cookie used by the Web service. See the MSDN documentation on Httpwebclientprotocol.cookiecontainer.
Nonetheless, if you are invoking a Web service from your page through a proxy object, the Web service and your page cannot share the session state due to schema limitations.
If you call the Web service through redirect, this can be done
Q: I am writing a httphandler, why does the session Stae not work?
A: Your HttpHandler interface must implement the tag interface irequiressessionstate or ireadonlysessionstate to use session state.
Q: I am using the Web farm, and whenever I redirect to another server, the session state is lost?
A: In order to maintain the site application path (such as/LM/W3SVC/2) in the session State,iis metabase between different servers in the Web farm, it should be consistent (case sensitive) on all Web servers. See KB325056
Q: How do I redirect from an HTTP page to an HTTPS page if I use cookieless?
A: Try using the following code:
String Originalurl = "/fxtest3/sub/foo2.aspx";
String Modifiedurl = "Https://localhost" + response.applyapppathmodifier (Originalurl);
Response.Redirect (Modifiedurl);
Does the q:session state have a lock mechanism to arrange the order of access to the session?
The A:session state implements a read-write locking mechanism:
-a page or frame that has write permission to the session state (such as <%@ page enablesessionstate= "True"%>) will get a write lock for the session until the request is finished.
-a page or frame that has read access to the session state (such as <%@ page enablesessionstate= "ReadOnly"%>) will receive the session's read lock until the request is finished.
-Read locks block write locks, read locks do not block read locks, and write locks block all read and write locks
-This is why when two frames have access to the session at the same time, one frame must wait for the other frame to complete first
Q: How do I detect that a session expires and then redirect to another page
A: This is a common problem, but unfortunately there is no easy way to do it. We will expect to implement it in a major release. Also, if you use cookies, you can store a flag in a cookie so that you can distinguish between new browser + new session and old browser + expired session, and the following code will redirect to an expired page when the session expires.
void Session_OnStart (Object sender, EventArgs e) {
HttpContext context = HttpContext.Current;
HttpCookieCollection cookies = context. Request.Cookies;
if (cookies["starttime"] = = null) {
HttpCookie cookie = new HttpCookie ("StartTime", DateTime.Now.ToString ());
Cookies. Path = "/";
Context. RESPONSE.COOKIES.ADD (cookie);
}
else {
Context. Response.Redirect ("expired.aspx");
}
}
Q: In Session_End, I tried to use SQL to do some cleanup work, but failed, ask why?
A: First, Session_End is supported only in InProc mode.
Second, Session_End is run with an account running the worker process (aspnet_wp.exe), which can be specified in Machine.config. Therefore, in your session_end, if you use integrity security to connect to SQL, it will use the worker process account identity connection, which may cause login failures, which depends on your SQL security settings.
Q: I am using SQL Server mode, why my session will not expire
A: In SQL Server mode, the session expiration is done by using a registration task by the SQL Agent, please verify that your SQL Agent is running.
Q: I have a frameset page with an HTM extension, and I find that each frame contained in it has a different sessionid on the first request, which is why?
A: The reason is that your frameset page is an HTM file instead of an ASPX page
Under normal circumstances, if a frameset page is an ASPX file, when you request the page, you will first send a request to the Web server, and you will receive an ASP. NET session cookie (which holds the session ID). The browser then sends a separate request for the frame, and each request will have the same session ID.
However, because your page is an HTM file, the first request will not get any session cookies because the page is processed by ASP instead of ASP. Then the browser sends a separate request for each frame. However, this time each individual request will not hold any session ID, so that each frame will create its own session. That's why the session ID you see in each frame is different. The last request will win because it will overwrite the cookie written by the first two requests. If you refresh once, you will see that they have the same session ID.
This behavior is determined by the design, and the simple solution is to rename the frameset page to ASPX
Q: I set the EnableSessionState to ReadOnly, but in InProc mode, I can still modify the session, why?
A: Although those enablesessionstate are set to ReadOnly, in InProc mode, the user can still modify the session. The only difference is that the session is not locked in the request, which is the design decision. I apologize for not mentioning this in MSDN.
Q: I set cookieless to True, the session variable is lost after redirect, why?
A: If you are using cookieless, you must use a relative path (such as. /hello.aspx), rather than an absolute path (such as/foo/bar/hello.aspx). If you are using an absolute path, ASP. NET does not save the session ID in the URL.
Q: What are the drawbacks of setting cookieless to True
A: Setting cookieless=true represents some of the underlying rules, mainly:
1. You cannot use the absolute path in your page
2. Switch between HTTP and HTTPS, you must do some extra action
3. If your customer sends a link to a friend, the URL will contain the session ID, and two users can use the same session ID at the same time
Q: In InProc mode, I programmatically changed the session timeout time, it triggered the session_end, why?
A: This is a bug in InProc. If you change the timeout value of the Session to another value, Session_End will be called (but not called session_start). We expect to be able to fix this error in v2.0.
Q: In SQL Server mode, can I save the session state in a database other than tempdb?
A: Yes. See KB311209.
Q: How do I prevent the unencrypted string from being put in my connection string summary?
A: See SQL Trusted Connection or save the connection string as encrypted data in the registry. For details, see KB329250 and KB329290.
Q: What SQL permissions do I need when I use SQL Server mode?
A: The caller needs to have EXEC permissions on the following stored procedure.
Dbo. Tempgetappid
Dbo. Tempgetstateitem
Dbo. Tempgetstateitemexclusive
Dbo. Tempreleasestateitemexclusive
Dbo. Tempinsertstateitemlong
Dbo. Tempinsertstateitemshort
Dbo. Tempupdatestateitemlong
Dbo. Tempupdatestateitemshort
Dbo. Tempupdatestateitemshortnulllong
Dbo. Tempupdatestateitemlongnullshort
Dbo. Tempremovestateitem
Dbo. Tempresettimeout
In v1.1, you also need to have EXEC permissions on the following stored procedures
Dbo. TempGetStateItem2
Dbo. TempGetStateItemExclusive2
Note that the owner of the stored procedure must be on the Session state table (dbo. ASPStateTempSessions and dbo. aspstatetempapplications) has Select/insert/update/delete permissions. Typically, the owner is the account that executes installsqlstate.sql (or the persistent version, see KB311209) to install the tables, stored procedures, and databases required by the SQL session state
Also note that if your Session state table is in tempdb (by default), all permission settings on this table will be lost if you recycle SQL Server.
Q: Can I write my own custom session state mode?
A: (pending translation)
Q: How does serialization and deserialization work in SQL Server or StateServer mode?
A: (pending translation)
Q: How can I make my state server more secure?
A: If state server and Web server are running on a single machine, set the Hkey_local_machine/system/currentcontrolset/services/aspnet_state/param The DWORD entry for Ters/allowremoteconnection is 0, which allows the state server to run only locally. This prevents the remote client from connecting to the state server. This feature is available in v1.1, and also in v1.0 SP3.
The state server must be protected by a firewall to prevent external connections to ensure true security. The default port is TCP 42424, and you can set Hkey_local_machine/system/currentcontrolset/services/aspnet_state/param ters/port to change it. If it is local mode, all external connections are blocked except 127.0.0.1, and if it is remote mode, all addresses are explicitly disabled in addition to the connection to the WEV server.
Using IPSec is another way to protect the state server.
Q: Can I subscribe to the Sessionstatemodule.end event using a handler in a non-global.asax?
A: The answer is no. When SessionStateModule triggers an end event, only methods defined in Global.asax are triggered
This is limited by considerations for security reasons. Assume that ASP. NET allows the user to use other handlers to handle the end event. In this case, the user typically uses a page method as the handler, and when you pass the handler on the event subscription, the handler associates with the HttpApplication instance that your program is running on. Note that the HttpApplication instance is recycled to handle other requests. In this case, when the end event fires, ASP. NET invokes the handler, and the HttpApplication instance associated with it is already in use by another request, which raises a variety of issues. To avoid this danger, the method defined in call Global.asax is determined in v1.0. I hope you can all endure this limitation.
Q: Can different applications save their session state in a different database on the same SQL Server?
A: The answer is yes. For details, see: http://support.microsoft.com/default.aspx?scid=kb; en-us;836680
Deep understanding of ASP. NET sessionstate