Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
.NET – an Overview
Haris.A.L
Created on: 05-May-2008 5/6/2008 23:58:00 a5/p5
The Byte Scrolls Session Management in ASP.NET –an
Overview
CONTENTS
1.1.1 Importance
HTTP is stateless, means that the web pages don’t know if the requests are
from the same client and pages are recreated and destroyed every trip to the
server. Therefore, state management is important for web applications.
1.1.2 Methods
All data that needs to be available to the application across different requests
within the same session is called session state or session state data. For
storing such data between requests, there are in general two possibilities:
• Sending the state information back to the client. With the next
request the current state is transmitted to the server again.
• Keeping the necessary data structures on the server. No session
data (except the referencing identifier) is transmitted to the client.
• Sending the session state data back to the client is generally not
recommended. From a security perspective, the main problem is
that the session state can easily be manipulated on the client side if
it is not protected appropriately.
• In scenarios where session state information must be transmitted
back to the client, it is generally possible to sign all transmitted
session state information in order to prevent changes on the client
side. When the server receives session state information within
requests from the client, it can check the signature in order to verify
that the data was not altered.
• A functional drawback is that the size of the information that can be
stored by round-tripping it to the client side is limited through the
Keeping the session state strictly on the server is the recommended solution.
• Session state is stored in the server RAM.
• Session state is serialized and written to a persistent storage.
• Storing mechanism for session is irrelevant from a session
management security point of view.
• Ensure that the session state information is sufficiently protected
against illegal access on the server side.
There are three session state modes for ASP.NET Applications. Each mode offers
varying degrees of performance and scalability as described in the following list:
1.2.1 InProc
The in-process store provides the fastest access to session state. There is no
serialization or marshaling costs involved because state is maintained within
the managed memory of the ASP.NET process. When the process recycles,
the state data is lost, although we can disable process recycling in IIS if
process recycling affects the application.
Drawbacks:
• Limits application scalability
• Cannot use it in conjunction with multiple worker processes.
• Also, high numbers of large or concurrent sessions can cause
application to run out of memory.
Advantage:
• High Scalability.
Limitation:
• Performance is reduced in comparison to the in-process provider
because of the additional serialization and marshaling that is
required to transfer the state to and from the state store.
Microsoft SQL Server provides a highly scalable and easily available solution.
SQL Server is a solution that is well-suited to large amounts of session state.
The serialization and marshalling costs are the same as the costs for the
session state service, although overall performance is slightly lower.
SQL Server provides clustering for failover, although this is not supported in
the default configuration for session state. To enable clustering for failover, we
have to apply configuration changes, and the session data must be stored in
a non temporary table.
Developers can use Session state in applications and leave the implementation up to
the administrators. When developer creates an ASP.NET application on his
development machine, he can use in-process session state. Then when the application
is deployed to a production server Web farm, an administrator can change session state
to use either the ASP.NET State service or to host the session data in SQL Server. All of
these options are transparent to the application. A simple setting in Web.Config makes
the change in session state.
If your application does not require the ASP.NET session state services, turn it off. You
can do this on a single page or for an entire application. You can disable session state in
a page by adding EnableSessionState="false" in the Page directive like this:
You can also totally disable session state for an application by setting mode=”Off” in
Web.Config like this:
Once a web application has gained enough business traction to be handling thousands
of concurrent users and hundreds of requests per second, it inevitably bumps up against
the performance limits imposed by running on a single server.
• Route all requests to the server where the session originated. This
significantly reduces load balancing efficiency, and it impairs the
ability of the ASP.NET application to tolerate failures such as
recycling the worker-thread process under extreme load.
• Storing session state in a shared location, this can be accessed by
any of the web servers in the farm.
ASP.NET has built-in support for storing session state out-of-process, either
in a database or in the memory space of a designated state server.
Advantage:-
• By moving session state out-of-process, the dependency of a given
user on a given web server is reduced: if that web server fails or
recycles, the user’s current session data is not lost.
For out-of-process state storage to be possible, all .NET objects stored in session state
must be serializable. Because .NET classes are not serializable by default, this often
means recoding, either to add attributes to user-defined classes or to use serializable
built-in classes instead of ones that are not serializable.
State Server is simple, free software available with ASP.NET for storing
session state data. It can be run directly on the web server, at least providing
protecting from worker-thread recycling, or it can be run in a central location
to get the full benefits of non-affinity.
Advantages:-
• The application is already using SQL Server for retrieval and storage
of data related to the application.
• High availability features such as clustering to protect session state
data in case of failure.
Limitations:
• The performance of SQL Server is even slower than that of State
Server.
• SQL Server is designed to be a highly reliable and secure
transactional database, so the processing of session data takes
significantly longer.
• SQL Server also requires the same extra pair of network trips that
State Server does: at the beginning and end-of-page processing.