Understanding ASP.net Session State

Function of Session state
HTTP is a stateless protocol, so it does not automatically indicate whether a sequence of requests is from the same client or even whether a single browser instance is still actively viewing a page or site. Using the ASP.net built-in session state feature, you can use the
1. Automatic identification and classification of requests from a single browser client to a logical application session on the server.
2, the session-wide data is stored on the server for use across multiple browser requests.
3. Raises appropriate session lifetime management events that can be handled in application code (Session_OnStart, Session_OnEnd, etc.)
II. Identification of Session state
When you create a session, the server generates a separate identity for each session. The identity is represented by a 120-bit SessionID string that contains only the ASCII characters allowed in the URL. The SessionID value is generated using an algorithm that guarantees uniqueness and randomness, in which the purpose of ensuring uniqueness is to ensure that the session is not conflicting, and that the purpose of ensuring randomness is to ensure that a malicious user cannot use the new SessionID to compute the SessionID of an existing session.
Iii. how session state is stored
There are three ways to store session state
1, in-process session state mode (INPROC): When we create a new Web program by default to adopt the process of Session state mode, which is widely used in the model. In this mode, session state is stored in the local asp.net worker process, so that the in-process session-state mode may be the fastest access option available to date. But the more data stored in a session, the more memory the WEB server consumes, potentially increasing the risk of performance degradation.
2.. NET State Server Mode (StateServer): Session state is stored in a remote process (for example, in a indows NT service named Aspnet_state.exe)
3, SQL mode (SQL Server): Session state is stored in a private database table managed by SQL Server.
Both the. NET state Server and SQL schemas can be called out-of-process session modes. When data is stored, data serialization needs to be stored in the external repository, and when reading and data, the data needs to be deserialized and copied into the local session dictionary, so the request causes performance degradation of 15% (out-of-process) to 25% (SQL Server). Note that this is only a rough estimate. But in an out-of-process storage scenario, the session state survives longer and makes the application more powerful because it protects against Microsoft? Internet Information Services (IIS) and ASP.net failed. By separating session state from your application, you can also make it easier to extend existing applications into Web Farm and web Garden architectures. In addition, session state is stored in an external process, fundamentally eliminating the risk of periodic data loss due to a process cycle.