MSDN: asp.net status management suggestions

Status management is the process of maintaining the status and page information for multiple requests on the same page or different pages. Like all HTTP-based technologies, Web form pages are stateless, which means they do not automatically indicate whether all requests in the sequence come from the same client, or whether a single browser instance is always viewing pages or sites. In addition, every round-trip to the server will damage and re-create the page; therefore, if the lifecycle of a single page is exceeded, the page information will not exist. For more information about server round-trip and Web forms page lifecycle, see Web forms page processing.

ASP. NET provides multiple ways to maintain the status between server round-trip processes. The selection of status management options in ASP. NET depends primarily on your application and should be based on the following conditions:

• What is the amount of information that needs to be stored?
• Does the client accept persistent or in-memory cookies?
• Do you want to store information on the client or server?
• Is the information sensitive?
• What performance conditions have you set for your application?

ASP. NET supports various client and server options for status management.

Client options:

• ViewStateAttribute
• Hide domain
• Cookie
• Query string

Server options include:

• Application Status
• Session Status
• Database

Client status management options

Use the Client Option to store page information without using server resources. These options often have the lowest security but the fastest server performance, because the requirements for server resources are moderate. However, because the information must be sent to the client for storage, there are certain objective restrictions on how much information can be stored in this way.

View status

Web forms page providesViewStateProperty is used as a built-in structure, and the value is automatically retained between multiple requests on the same page. View status is maintained as hidden fields on the page. For more information, see Web forms status management.

You can use the view status to store your own page-specific values during the round-trip process when the page is sent back to itself. For example, if your application is maintaining user-specific information (that is, this information is used on the page but is not necessary for any control ), you can use the view status to store the information.

Advantages of view status:

• No server resources are required. View status is included in the structure of the page code.
• Simple implementation.
• Page and control status are automatically maintained.
• Enhanced security features. Values in the view State are hashed, compressed, and encoded for Unicode implementation, which means higher security than hidden fields.

The disadvantage of using view status is:

• Performance. Because the view status is stored on the page itself, if a large value is stored, the page speed may slow down when the user displays the page and sends the page.
• Security. View status is stored in the hidden domain on the page. Although the view State stores data in a hash format, it can be tampered. If you directly view the page output source, you can see information in the hidden domain, which leads to potential security issues. For more information, see Introduction to Web Application Security.

For more information about using view status, see using view status to save Web forms page values.

Hide domain

You can store page-specific information in the hidden domain on the page as a way to maintain the page status. For more information about hidden fields, see Web forms status management.

If you use a hidden domain, it is best to store only a small amount of frequently changed data on the client. ASP. NET providesHtmlInputHiddenControl, which provides the function of hiding fields. RelatedHtmlInputHiddenFor more information, see ASP. NET Server controls by function.

Note:If you want to use a hidden domain, you must use the http post method to submit a page to the server, instead of the http get method to request the page through the page URL.

Advantages of using hidden domains:

• No server resources are required. The hidden domain is stored and read on the page.
• Extensive support. Almost all browsers and client devices support forms with hidden fields.
• Simple implementation.

The disadvantage of using hidden domains is:

• Security. The hidden domain can be tampered. If you directly view the page output source, you can see information in the hidden domain, which leads to potential security issues. For more information, see Introduction to Web Application Security.
• A limited storage structure. Hidden fields do not support rich structures. The hidden domain provides the single-value domain in which information is stored. To store multiple values, you must separate the strings and analyze the code of those strings.
• Performance. Because the hidden domain is stored on the page itself, if a large value is stored, the page speed may slow down when the user displays the page and sends the page.

Cookie

Cookies are used to store a small amount of frequently changed information on the client. The information is sent to the server together with the request.

The advantage of using cookies is:

• No server resources are required. Cookies are stored on the client and are read by the server after being sent.
• Simple. Cookie is a lightweight, text-based structure with simple key-value pairs.
• You can configure the expiration time. The Cookie may expire at the end of the browser session, or may exist on the client computer indefinitely, depending on the client's expiration rules.

The disadvantage of using cookies is:

• The size is limited. Most browsers have a Cookie size limit of 4096 bytes, although the 8192-byte Cookie size is increasingly common in today's new browsers and client device versions.
• The user configuration is rejected. Some users disable the ability of browsers or client devices to receive cookies, thus limiting this function.
• Security. Cookies may be tampered. Users may manipulate cookies on their computers, which may affect security or cause failure of applications dependent on cookies. For more information, see Introduction to Web Application Security.
• Durability. The persistence of cookies on client computers is restricted by the client Cookie expiration process and user intervention.
  

  Note:Cookies are usually used to personalize custom content of known users. In most cases, cookies are used as "identifiers" rather than "authentication". Therefore, only the user name, account name, or unique user ID (such as GUID) is stored in cookies) it is sufficient to use it to access the user's personalized structure of the site.

For more information about how to create and read cookies, see And .

Query string

The query string is the information appended to the end of the URL of the page. For more information, see Web forms status management.

You can use a query string to submit data back to your page or another page through a URL. Querying strings provides a simple but limited way to maintain certain State information. For example, they are a simple way to transfer information from one page to another (for example, to another page that will process the product number ).

Note:You can only query strings on the URL request page. The query string cannot be read from the page that has been submitted to the server.

The advantage of using a query string is:

• No server resources are required. The query string is contained in an HTTP request to a specific URL.
• Extensive support. Almost all browsers and client devices support passing query string values.
• Simple implementation. ASP. NET fully supports the string query method, including the use The method used to read the query string.

The disadvantage of using a query string is:

• Security. You can directly view the information in the query string on the browser user interface. The query value is published to the Internet through a URL. Therefore, security may be compromised in some cases. For more information, see Introduction to Web Application Security.
• Limited capacity. Most browsers and client devices have a URL length limit of 255 characters.

Summary of client method Status Management

The following table summarizes the client status management options and scenarios where these options are used.

Method	Usage
View status	You need to store a small amount of information for the pages that will be sent back to you.ViewStateAttribute usage provides basic security features.
Hide domain	You need to store a small amount of information for pages that are sent back to you or another page without high security. Note:You can only use hidden domains on pages submitted to the server.
Cookie	A small amount of information needs to be stored on the client without high security.
Query string	A small amount of information can be transmitted from one page to another without high security. Note:The query string can be used only when one page is requested or another page is requested through a link.

Server Status Management Options

Server-side options that store page information are often more secure than client options, but they may use more Web server resources, which may cause scalability when the information storage volume is large. ASP. NET provides several options for server-side status management. For more information, see Web forms status management.

Application Status

ASP. NET Class provides the application status as a method to store the specific information of the global application (visible to the entire application. The application state variable is actually a global variable for ASP. NET applications. For more information, see .

You can store application-specific values in the application status, and the application status will be managed by the server. For more information, see Web forms status management.

Ideal data inserted into application state variables is data that is shared by multiple sessions and is not frequently changed.

Note:If you store a dataset as an application, you mustObjectForced conversion back to dataset. For more information, see Web data access policy recommendations.

The advantages of using the application status are:

• Easy to implement. The application status is easy to use, familiar to ASP developers, and consistent with other. NET Framework classes.
• Global range. Because the application status can be accessed by all pages in the application, storing information in the application status may mean that only one copy of the information is retained (for example, compared to multiple copies that save information in the session status or on a separate page ).

The disadvantage of using the application status is:

• Global range. Global application status may also be a disadvantage. Variables stored in the application state are global only for specific processes in which the application is running, and each application process may have different values. Therefore, you cannot rely on the application status to store unique values or update global counters in the network farm and network farm configurations.
• Durability. Because the global data stored in the application state is easy to lose, therefore, if the Web server process that contains the data is damaged (most likely due to server crash, upgrade, or shutdown), the data will be lost.
• Resource requirements. The application status requires the server memory, which may affect the server performance and scalability of the application.

The well-designed and implemented application status can improve the Web application performance. For example, if you place common and related static datasets in the application state, you can improve the site performance by reducing the total number of data requests to the database. However, there is a performance balance here. When the server load increases, application state variables containing large pieces of information will reduce the performance of the Web server. Before removing or replacing a value, the memory occupied by the variables stored in the application state will not be released. Therefore, it is best to use only application state variables for small datasets that are not frequently changed. For more information about optimizing ASP. NET Web applications, see .

Session Status

ASP. NET provides a session status that can be used Class or a method that stores session-specific information (only visible in this session. For more information, see Web forms status management introduction and .

You can store session-specific values and objects in the session state. The session State objects are managed by the server and can be used by browsers or client devices. Ideal data stored in session state variables is short-term and sensitive data specific to individual sessions.

Note:If you store a dataset as an application, you mustObjectForced conversion back to dataset. See Web data access policy recommendations.

The advantages of session status are:

• Easy to implement. The session Status function is easy to use and is familiar to ASP developers and consistent with other. NET Framework classes.
• Session-specific events. Session management events can be triggered and used by applications.
• Durability. Data stored in session state variables can withstand Internet Information Service (IIS) restart and auxiliary process restart without losing session data, this is because the data is stored in another process space.
• Scalability of the platform. The session state object can be used in multi-computer and multi-process configurations, thus optimizing the scalability scheme.
• Although the most common purpose of session status is to provide the user identification function to Web applications together with cookies, session status can be used in browsers that do not support HTTP cookies. For more information, see .

For more information, see .

The disadvantage of using session status is:

• Performance. Session status variables are stored in memory before they are removed or replaced, which may reduce server performance. If the session status variable contains information blocks similar to a large dataset, the performance of the Web server may be affected due to the increase in server load.

Database Support

In some cases, you may want to use database support to maintain the status on the Web site. Generally, databases can be used together with cookies or session statuses. For example, for e-commerce Web sites, the use of relational database maintenance status information is very common for the following reasons:

• Security
• Personalization
• Consistency
• Data Mining

The following are common functions of Cookie-supported database Web sites:

• Security. The visitor enters the account name and password into the site logon page. The site structure queries the database by logon value to determine whether the user has the right to use your site. If the Database confirms that the user information is valid, the Web site will distribute valid cookies containing the unique ID of the user to the client computer. The site grants the user access permission.
• Personalization. By storing security information in the appropriate location, your site can identify each user on the site by reading cookies on the client computer. Generally, a site has information in the database to describe users' preferences (identified by a unique ID ). This relationship is called personalization. Websites can use the unique ID contained in cookies to investigate users' preferences, and then provide users with content and information related to users' specific wishes and to respond to user preferences over a period of time.
• Consistency. If you have created a commercial Web site, you may want to keep the purchase transaction records for the goods and services on the site. This information can be reliably stored in your database and referenced by your unique ID. It can be used to determine whether the purchase transaction is complete, or to determine the process of operations that should be taken if the purchase transaction fails. This information can also be used to notify users of the status of the order placed on your site.
• Data Mining. Information about site usage, visitors, or product transactions can be reliably stored in the database. For example, the Business Development Department may want to use the data collected from the site to determine the product line or distribution strategy for the next year. The marketing department may want to view demographic information about users on your site. The design and support department may want to view the transaction and write down the areas where the purchase process can be improved. Most enterprise-level relational databases, such as Microsoft SQL Server, include extensible tool sets for most data mining projects.

In the above scheme, a Web site is designed to repeatedly query the database with a unique ID in each general stage, and the site maintains the status. In this method, the user feels that the site is remembering and responding to himself.

Database Maintenance has the following advantages:

• Security. Strict authentication and authorization are required for database access, which is usually very secure.
• Capacity. You can store as much information as possible in the database as needed.
• Durability. Database information can be stored as long as possible as needed, which is not affected by the availability of Web servers.
• Reliability and data integrity. The database includes a variety of functions used to maintain effectiveness, including the trigger and reference integrity, transactions, and so on. You can easily recover from errors by saving transaction information in the database (rather than in objects such as session state.
• Accessibility. The data stored in the database can be accessed by multiple information processing tools.
• Widely supported. A large number of database tools are available, and many custom configurations are available.

The disadvantage of using a database to maintain the status is:

• Complexity. Using the database to support status management means more complex hardware and software configurations.
• Performance. Poor relational data model structure may cause expansion problems. In addition, too many queries to the database may affect the server performance.

Summary of server method Status Management

The following table summarizes the server status management options and scenarios where these options are used.

Method	Usage
Application Status	You are storing global information that is not frequently changed. This information is used by multiple users, so security is not a problem. Do not store a large amount of information in the application state.
Session Status	It stores short-term information specific to individual sessions and requires high security. Do not store a large amount of information in the session state. Knowing that session State objects will be created and maintained for the lifetime of each session in the application. In applications that support many users, this may occupy a large amount of server resources and affect scalability.
Database Support	Stores a large amount of information, manages transactions, or information must be able to withstand application and session restart. Data Mining is very important and requires high security.

See

Web form status management | Web form status management overview | Web form programming | state management recommendations | use view status to save Web form page values |