Understanding ASP. NET session Status

I. session Status

HTTP is a stateless protocol, so it does not automatically indicate whether a request sequence is from the same client, or even whether a single browser instance is still active to view a page or site. With the built-in session Status function of Asp.net, we can use

1. automatically identifies and classifies requests for logical application sessions from a single browser client to the server.

2. Store session-range data on the server for cross-browser requests.

3. Trigger appropriate session lifetime management events (session_onstart, session_onend, etc.) that can be processed in application code)

Ii. session Status Identification

When creating a session, the server generates a separate identifier for each session. The ID is represented by a 120-bit sessionid string, which only contains the ASCII characters allowed in the URL. Sessionid is generated by algorithms that ensure uniqueness and randomness. The purpose of uniqueness is to ensure that the session does not conflict, the purpose of ensuring randomness is to ensure that malicious users cannot use the new sessionid to calculate the sessionid of an existing session.

Iii. session state storage

Three storage methods are available for session status.

1. In-process session Status mode (inproc): When a web program is created, the in-process session Status mode is used by default. This mode is also widely used. In this mode, the session status is stored in the local ASP. NET auxiliary process. So far, the in-process session Status mode may be the fastest access option. However, the more data stored in sessions, the more memory the Web server consumes, which may increase the risk of performance reduction.

2.. Net status server mode (StateServer): The session status is stored in a remote process (for example, in the indows NT service named aspnet_state.exe)

3. SQL mode (sqlserver): Session status is stored in a dedicated database table managed by SQL Server.

. The net status server mode and SQL mode can both be called the out-of-process session mode. When storing data, you need to serialize and store the data to an external repository. When reading and writing data, data deserialization is required to be copied to the local session dictionary. Therefore, the request performance is reduced by 15% (out-of-process) to 25% (SQL Server ). Note that this is just a rough estimate. However, in the out-of-process storage solution, the session status remains longer, making the application more powerful, because it can prevent Microsoft? Internet Information Service (IIS) and ASP. NET fail. By separating session states from applications, you can also easily extend existing applications to the Web farm and web garden architectures. In addition, session states are stored in external processes, which fundamentally eliminates the risk of periodic data loss caused by process loops.

Iv. session Status Configuration

The session state configuration is implemented by setting the <sessionstate> section of the web. config file. The following describes how to configure the three session states.

1. In-process mode

In-process mode is the default session Status mode. To use the in-process mode, set the mode attribute of the <sessionstate> element to inproc.

The following shows a configuration setting example of the In-process mode.

<Configuration>
<System. Web>
<Sessionstate mode = "inproc"
Cookieless = "false"
Timeout = "20"/>
</Sessionstate>
</System. Web>
</Configuration>

2. Status Server Mode

To use a status server, you must first ensure that the ASP. Net status service runs on the remote server used for session storage. This service is installed with ASP. NET and Visual Studio. NET in the following locations:

SYSTEMROOT/Microsoft. NET/framework/versionnumber/aspnet_state.exe

Then, in the web. config file of the application, set the mode attribute of the <sessionstate> element to StateServer. Finally, set the connectionstring attribute to TCPIP = servername: portnumber.

The following is a configuration setting example of the Status server mode.

<Configuration>
<System. Web>
<Sessionstate mode = "StateServer"
Stateconnectionstring = "TCPIP = dataserver: 42424"
Cookieless = "false"
Timeout = "20"/>
</Sessionstate>
</System. Web>

3. SQL Server Mode

To use SQL Server, run installsqlstate. SQL or installpersistsqlstate. SQL on the SQL server computer that stores the session status. Both scripts create a database named aspstate, which contains several stored procedures.

The difference between the two scripts lies in the location of the aspstatetempapplications and aspstatetempsessions tables. The installsqlstate. SQL script adds these tables to the tempdb database, which will lose data when the computer restarts. Conversely, the installpersistsqlstate. SQL script adds these tables to the aspstate database, which allows session data to be retained when the computer restarts.

By default, both script files are installed in the following locations:

SYSTEMROOT/Microsoft. NET/framework/versionnumber

Then, in the web. config file of the application, set the mode attribute of the <sessionstate> element to sqlserver. Finally, set the sqlconnectionstring attribute to integrated security = sspi; Data Source = servername ;.

The following shows an example of configuration settings in SQL Server mode.

<Configuration>
<System. Web>
<Sessionstate mode = "sqlserver"
Sqlconnectionstring = "Integrated Security = sspi; Data Source = dataserver ;"
Cookieless = "false"
Timeout = "20"/>
</Sessionstate>
</System. Web>
</Configuration>

In SQL SERVER mode, you can also set the session status to work in the Failover group. Failover clusters are two or more identical redundant Web servers that store session data in an SQL Server database on a separate computer. If a web server fails, another server in the cluster will take over its work and provide services for requests, so session data will not be lost.

To configure a Failover cluster, set the <machinekey> element in the web. config file of the Web server to the same value.

Then, set the SQL connection string of the Web server to point to the SQL Server database that stores session data on the computer.

5. Access to session Status

You can directly access the session state through the session set. To be compatible with earlier versions of ASP, you can also access the session state through the session. Contents attribute on the Application object.

The following example shows that two values are written to the session set on the first page, and then the session set is read on the second page. Note: The Page code is omitted here.

The first web page writes values to the session set.

Dim name as string = ""
Dim ID as integer = "1"
Session ("name") = Name
Session ("ID") = ID
The second web page obtains the value from the session set.
Dim name as string = SESSION ("name ")
Dim ID as integer = SESSION ("ID ")
'Obtain the number of items in the session Status set.
Dim I as integer = session. Count

Note that in the in-process mode, real serialization and deserialization are not performed, so the object is stored as an active instance of the respective classes in the session state.

In the out-of-process session mode, because serialization and deserialization are used, you need to convert the data type as needed.

If you perform a serialization operation on the date value, the date type should be int64.

Vi. Session lifetime management events

Session lifetime management events include two session_onstart events and session_onend events. You can set these events in the global. asax. VB file.

1. session_onstart event

When a single browser client is connected to the server, the session_onstart event is triggered, which indicates the start of the session and will not be triggered during subsequent browsing, unless the session times out or is abandoned. Session_onstart events are the best time to set session-period variables, because they are set before accessing any page.

Example: The following example shows the session_onstart Event code that is commonly used to count the number of online users:

Sub session_start (byval sender as object, byval e as eventargs)
'When an event occurs, the number of online users is increased by 1.
Application ("usercount") = Application ("usercount") 1
End sub

2. session_onend event

The session_onend event occurs when the session is abandoned or timed out. It indicates the end of the event. Note that only the inproc mode supports this event. You can use the timeout attribute of the <sessionstate> section of the web. config file to specify the time-out period. If the user is within the time-out period (in minutes, the default value is 20 minutes)
If you do not refresh the page or request a webpage, the session will be terminated. You can use the session_onend event to clear some data.

Example: The following example shows the session_onend Event code that is commonly used to count the number of online users:

Sub session_end (byval sender as object, byval e as eventargs)
Application ("usercount") = Application ("usercount")-1
End sub