Web Design that taps into the haromny and vision of your dreams.

Managing Session State in ASP.Net

Using session state to save information

Written By on in C#

740 words, estimated reading time 4 minutes.

HTTP is a stateless protocol which means that each request is processed as it comes; after the request has been processed all of the data is discarded. No state is maintained across requests even from the same client.

Active Server Pages (ASP.Net) Series
  1. What is ASP.Net?
  2. ASP.Net for PHP Developers
  3. Creating a Simple ASP.Net Page
  4. ASP.Net Website Navigation Using a SiteMap
  5. Using ASP.Net Master Pages and Content Pages
  6. Validating Input using ASP.Net
  7. Tracing and Remote Debug in ASP.Net
  8. Creating Custom Error Pages with ASP.Net
  9. Managing Session State in ASP.Net
  10. Using Themes and Skins in ASP.Net
  11. Creating User Controls in ASP.Net
  12. Difference between ASP.Net User and Custom Server Controls
  13. Creating Fully Themable Websites with ASP.Net
  14. Ultimate Guide to the Web.Config File
  15. Adding StyleSheets to ASP.Net via C#
  16. Extending the Web Sitemap Xml Document

ASP.Net provides a set of functionality to maintain state which can be managed by the client or the server.

Imagine a web form (name.aspx) that asks for a name and shows that name on another page (hello.aspx). In a stateless environment (figure 1) hello.aspx does not know about the information from name.aspx because the data has been discarded. Figure 2 illustrates that in a managed state environment hello.aspx is aware of the data entered.

Managing Session State in ASP.Net
Managing Session State in ASP.Net

Types of State Management

Server SideClient Side
Application State
Information is available to all users of a web application.
Text files store information to maintain state. The cookie is sent to the server with the information on each page request.
Session State
Information is only available to a user of a specific session
ViewState Property
Retains values between multiple request for the same page.
SQL Server can store and maintain state on a website.
Query Strings
Information is encrypted and appended to the end of a URL.

Session ID and Cookies

A session in ASP.Net is identified with a SessionID string which is by default stored as a cookie on the client's computer; however, they are less reliable than server side management options since cookies can be deleted or modified by the user, or cookies can be disabled. If cookies have been disabled by a client then session state cannot be maintained using this method and you should use query strings instead.

Query Strings (cookieless)

If cookies cannot be used to store the SessionID then query strings must be used instead. This involved storing the session id within the URL of the page being requested. This is done automatically by the ASP.Net managed code, but it does mean that you cannot generate URLs yourself - they must all come from ASP.Net components.

An example of a query string is http://localhost/QueryStringDemo/(g4gns8dbldow83b2x)/Default.aspx

There are a number of issues with using query strings including search engines, duplicate URLs and the possibility of session id tampering. Because there is a limit of 255 characters for the length of a URL you are also limited to the amount of information that can be stored within a query string id.

To enable cookieless state management you need to set the sessionState section of the web config:

<sessionState cookieless="true" />

Application State

Application state is a global storage mechanism accessible from all pages by all users in the web application. Application state can be set and accessed using the Application object.

int numberVisitors = Application["NumberOfVisitors"];
Application["SiteName"] = "My Website Title";

Session State

Session state is a storage mechanism accessible by the user of a single session. Data cannot be transferred between sessions, nor can one session access the data of another session. Session State should be used to store information about a user or connection and can be accessed or set using the Session object.

Session["UserName"] = LoginForm.Username.Text;
Response.Write("Hello " + Session["UserName"]);

Session State requires that a session cookie be loaded onto the clients computer, or a cookie-less implementation involving query strings be used.


By default, the session state information is stored within the process. The advantage is that it is quickly accessible; however, this does not lead to a scalable application. In order to create a scalable session state management process, state data can be stored within a SQL Server database known as a state server.

To enable state servers you need to change the sessionState section of the web.config file.

<sessionState mode="SQLServer" sqlConnectionString="data source=sqlServerName; Integrated security =true" />

On the SQL server you need to prepare it to act as a session server by invoking this command on the command line:

C:\OSQL -S SqlServerName -E InstallSqlState.sql

Where SqlServerName is the name of the server. This command will execute the commands within the InstallSqlState file to create the databases and tables required.


ViewState is used to store the values submitted on a form and only works between requests of the same page. Viewstate is most useful when a form is submitted and presented to the user a second time, maybe to correct an error, and the controls retain the information entered the first time. Without ViewState these value would have been lost.

Last updated on: Friday 8th September 2017



There are no comments for this post. Be the first!


Leave a Reply

Your email address will not be published.

If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.

Copyright © 2001-2018 Tim Trott, all rights reserved. Web Design by Azulia Designs

This web page is licensed for your personal, private, non-commercial use only.

Disclaimer, Privacy & LegalSitemapContact Me