Every ASP.NET application needs to manage client session information because of stateless nature of HTTP protocol. A question that is often asked in newsgroups, forums, and mailing lists is that, how does ASP.NET Session Management work, and which technique in ASP.NET is the best way to manage session in a web farm or high volume web site with large number of concurrent users? We will begin with a quick overview of ASP.NET session management alternatives, then dive into ASP.NET Session Management internals, and make some recommendations at the end.
ASP.NET Session Management Alternatives:
ASP.NET provides three modes of session state storage controlled by
mode attribute of
<sessionState> tag in your web application’s Web.config file. Below is a sample of this tag:
| ||Specifies where to store the session state.|
|Disables session state management.|
|Session state is stored locally in memory of ASP.NET worker process.|
|Session state is stored outside ASP.NET worker process and is managed by Windows service. Location of this service is specified by |
|Session state is stored outside ASP.NET worker process in SQL Server database. Location of this database is represented by |
Now, let’s take a look at session storage internals.
We access Session data through a property named
Session property is exposed by
System.Web.HttpContext class and
System.Web.UI.Page. (Every ASP.NET page is converted in a class which derives from
Page class.) This
Session property is an object of
HttpSessionState class in
System.Web.SessionState namespace as shown above.
HttpSession object has a private member
_dict of type
System.Web.SessionState) as shown below:
private SessionDictionary _dict;
SessionDictionary is an internal class which derives from
The relationship is depicted in a small class diagram:
The most important piece of the session state management puzzle is a
HttpModule talks to session state providers and hydrates
HttpSessionState for each HTTP request. This
HttpModule is listed in your machine.config file in
I reproduced part of this section from machine.config file from my computer, for reference:
<add name="OutputCache" type="System.Web.Caching.OutputCacheModule"/>
<add name="Session" type="System.Web.SessionState.SessionStateModule"/>
For every HTTP request to your page in your ASP.NET application, an object of type
HttpWorkerRequest is created and is served by an instance of
HttpApplication class. (For complete discussion of HTTP Pipeline model, check URLs mentioned in References.)
During the processing of this request,
InitModules() method of
HttpApplication class is called.
Figure 3 below depicts the entire call sequence:
InitModules(), all the modules listed under
<httpModules> section are initialized, i.e.,
Init method of each of these
HttpModules is called, i.e..
Init method of
SessionStateModule is called. In the
Init method of
SessionStateModule, session state settings are read from
<sessionState> section of web.config file of your ASP.NET application, and then it calls another method
InitModuleFromConfig. The signature of this method is listed below:
private void InitModuleFromConfig(HttpApplication app,
Config config, bool configInit);
app represents the instance of
HttpApplication class that is being used to serve the HTTP request.
InitModuleFromConfig adds various event handlers for session management related events that are raised from
InitInternal() method of
Table below shows which
SessionStateModule are tied to which events of
|Table : HttpApplication Events handled by the SessionStateModule EventHandlers|
Please note that, at this point, the session state data has not been acquired. There is one more important thing that happens after the above mentioned
EventHandlers are tied. Based on attribute values settings of
<sessionState> section in your ASP.NET application's config file, the session state provider is tied to
All the session state providers implement the interface
Table below shows the type of object used to manage state based on value of the
mode attribute of
|Session State Provider based on mode attribute of <System.web>\<sessionState>|
|mode||Class Handling Session State|
This session state provider or
StateClientManager is stored in a private variable of
Init() method of
SessionStateModule returns control to
InitInternal method of
HttpApplication, processing continues and
AcquireRequestState event is raised.
It is at this point that session state is actually acquired. When this event is raised, the event handler (
SessionStateModule which was tied earlier is called which then calls
SessionStateModule which then asks
StateClientManager to get the session state.
In order to judge the performance difference, we will look into each of these
StateClientManagers and see how the session data is actually stored and retrieved. For this and more, stay tuned for Part II.
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.