36. Session

36.1 What are the different ways to manage client states?

Client state can be managed in different ways, session state, view state or using cookies. Here is an article from ftp online: Manage Client State that discusses this in more detail.

36.2 How to create a page that displays and manages images in a directory using a tree control?

Here is an article from ftp online: Display and Manage Images in ASP.NET

36.3 What are the server-side techniques to manage Session State on the Server?

Here is an article from ftp online: Manage Session State on the Server.

36.4 What techniques can be used to manage Session State on the Client?

Here is an article from ftp online: Manage Session State on the Client that describes how Cookies, Hidden Fields and Query Strings can be used to preserve session state.

36.5 How to simplify state maintenance with ASP.NET?

Here is an article from ftp online: Simplify State Maintenance With ASP.NET

36.6 When I use the Session in component class as Session("CustID"), I get error message "Session is not declared". Why?

Use HttpContext.Current.Session i.e
VB.NET

C#

36.7 How to print out all the variables in the Session?

VB.NET

C#

36.8 Why isn't session state available?

• - First, check your web.config, machine.config and your page directive to make sure you have enabled session state. Reference:
  • Session State
  • @ Page
• - session state is not available just everywhere, anytime. It is available only after the HttpApplication.AcquireRequestState event is called. For example, it is NOT available in the Application_OnAuthenticateRequest handler inside global.asax. For details, see: Handling Public Events
• - Lastly, make sure System.Web.SessionState.SessionStateModule is included the in your config files. A common case is that SharePoint application will remove this module from their web.config files (for performance reason), and thus session state isn't available.

36.9 Can I share session state between ASP.NET and ASP pages?

No. This MSDN article shows how to work around it: How to Share Session State Between Classic ASP and ASP.NET

36.10 Can I share session state between web applications (i.e. "virtual directories" or "applications" in IIS)?

No.

36.11 What is the difference between Session.Abandon() and Session.Clear()?

The major difference is that if you call Session.Abandon(), Session_End will be fired (for InProc mode), and in the next request, Session_Start will be fired. Session.Clear( ) just clears the session data without killing it.

36.12 The SessionID remains the same even after the Session times out or Session abandons?

The SessionID lasts as long as the browser session lasts even though the session state expires after the indicated timeout period i.e the same session ID can represent multiple sessions over time where the instance of the browser remain the same.

36.13 Why are my Session variables lost frequently when using InProc mode?

This can be due to application recycle.
See PRB: Session variables are lost intermittently in ASP.NET applications
In v1, there is also a bug that will cause worker process to restart. It's fixed in SP2 and v1.1. See FIX: ASP.NET Worker Process (Aspnet_wp.exe) Is Recycled Unexpectedly.

36.14 Does session state have a locking mechanism that serialize the access to state?

Session state implements a reader/writer locking mechanism:

• A page (or frame) that has session state write access (e.g. <%@ Page EnableSessionState="True" %>) will hold a writer lock on the session until the request finishes.
• A page (or frame) that has session state read access (e.g. <%@ Page EnableSessionState="ReadOnly" %>) will hold a reader lock on the session until the request finishes.
• Reader lock will block a writer lock; Reader lock will NOT block reader lock; Writer lock will block all reader and writer lock.
• That's why if two frames both have session state write access, one frame has to wait for the other to finish first

36.15 Response.Redirect and Server.Transfer is not working in Session_End?

Session_End is fired internally by the server, based on an internal timer. And thus there is no HttpRequest associted when that happens. That is why Response.Redirect or Server.Transfer does not make sense and will not work.

36.16 Is the session Timeout attribute a sliding timeout value?

The session Timeout is a sliding expiration time, meaning whatever your page access session state, the expiration time will be moved forward. Note that as long as a page has NOT disabled session state, it will access the session automatically when requested.

36.17 I am writing my own HttpHandler. Why is session state not working?

Your HttpHandler has to implement the "marker" interface IRequiresSessionState or IReadOnlySessionState in order to use session state.

36.18 Why isn't Session available in my event handlers in global.asax?

It depends on which event you're handling. Session is available only after AcquireRequestState event

36.19 Will my session state be saved when my page hit an error? Will my session state be saved when my page hit an error? In Session_End, I tried to do some cleanup job using SQL but it failed. Why?

1. Session_End is supported only in InProc mode.
2. Session_End is run using the account which runs the worker process (aspnet_wp.exe), which can be specified in machine.config. Therefore, in your Session_End, if you connect to SQL using integrated security, it will use that worker process account credential to connect, and may fail depending on your SQL security settings.

36.20 When I create a Session variable if I'm using inproc, where is the session variable stored?

• In II5, it's stored in the memory of aspnet_wp.exe.
• For IIS6, by default all apps will share the same application pool, i.e. the session state is stored in the memory of the process w3wp.exe. They are NOT separated per application, but instead per application pool (w3wp.exe)

36.21 Is the session timeout attribute in minutes or seconds?

The Timeout setting is in minutes, not in seconds. i.e The timeout attribute specifies the number of minutes a session can be idle before it is abandoned. The default is 20

36.22 How to store SortedList in Session or Cache?

VB.NET

To store in Session:

and to retrieve

C#

To store in Session:

and to retrieve

36.23 Why do I lose my Session variables on redirect when I set "cookieless" to true?

When using cookieless, you must use relative path (e.g. ..\webform1.aspx) instead of absolute path (e.g. \dir1\subdir1\webform1.aspx). If you use absolute path, ASP.NET cannot preserve your session ID in the URL.

36.24 What are the disadvantages of setting cookieless to true?

Setting Cookieless=true implies some restrictions, mainly:

1. You cannot use absolute link in your pages.
2. You have to perform additional steps to switch between http and https pages in your application.
3. If your customer sends a link to a friend, the URL will contain the session ID and both users could be using the same session ID at the same time.

36.25 Can I store my session state in a database other than tempdb, In SqlServer mode?

Yes. For more details Refer HOW TO: Configure ASP.NET for Persistent SQL Server Session State Management

36.26 Can different apps store their session state in different databases on the same SQL server?

Yes. Refer FIX: Using one SQL database for all applications for SQL Server session state may cause a bottleneck

36.27 Do I have a valid HttpSessionState object and HttpContext object in Session_End?

You will have the HttpSessionState object available. Just use 'Session' to access it.
For HttpContext, it is not available because this event is not associated with any request.

36.28 Why aren't my sessions expiring, I am using SQLServer mode?

In SQLServer mode, session expiration is carried out by the SQL Agent using a registered job. Make sure your SQL Agent is running.

36.29 I set EnableSessionState to "ReadOnly", but in InProc mode I can still modify the session. Why is that?

Even those enableSessionState is marked as ReadOnly, but in InProc state, the user can still modify the session. The only difference is that the session will not be locked during the request. This limitation is by-design

36.30 How can I avoid specifying a plain password for my sql connection?

Include a sql trusted connection, or put the connection string as encrypted data in the registry. Refer

• FIX: Stronger Credentials for processModel, identity, and sessionState
• How To Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings

36.31 How can I use Session variables in a class?

VB.NET

C#

In similar manner you can use Application Variables too.

36.32 What kind of objects can I store in a Session State?

Depends on which mode you are using:

• InProc Mode- objects stored in session state are actually live objects, and so you can store whatever object you have created.
• State Server or SQL Server mode, objects in the session state will be serialized and deserialized when a request is processed. So make sure your objects are serializable and their classes must be marked as so. If not, the session state will not be saved successfully. In v1, there is a bug which makes the problem happen unnoticed in SQLServer mode and will make your request hang. The hanging problem is fixed in v1.1. The fix for KB 324479: ASP.NET SQL Server Session State Impersonation Is Lost Under Load also contains the fix for this problem. The problem will be fixed in v1 SP3 too.
  For more info: BUG: Session Data Is Not Saved in Out-of-Process Session State

36.33 Why did my request hang after I switch to SQLServer mode?

(Right answer?) Refer What kind of objects can I store in Session State?

36.34 I have a frameset page which has an HTM extension, and I found out that each frame it contains displays a different session id on the first request. Why?

The reason is that your frameset page is an HTM file instead of an ASPX file.
In normal a scenario, if the frameset is an aspx file, when you request the page, it will first send the request to the web server, receive an asp.net session cookie (which holds the session id), and then the browser will send individual requests for the frames, and each request will carry the same session id.
However, since your frameset page is an htm file, the first request comes back without any session cookie because the page was serviced by ASP and not ASP.NET. Then again your browser sends out individual requests for each frame. But this time each individual request will NOT carry any session id, and so each individual frame will create its own new session. That's why you will see different session ids in each frame. The last request that comes back will win by overwriting the cookie written by the previous two requests. If you do a refresh, you will see them having the same session id.
This behavior is by-design, and the simple solution is to change your frameset page to .aspx.

36.35 Why do I get the error message "Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive"?

This problem may occur after you install Windows Sharepoint Server(WSS) on a server that has Microsoft Visual Studio .NET 2003 installed. The WSS ISAPI filter handles all incoming URLs. When you browse one of the ASP.NET Web application virtual directories, the ISAPI filter does not locate the URL path of the folder.
To resolve this refer Session state cannot be used in ASP.NET with Windows SharePoint Services

36.36 How to remove a Session variable?

Use HttpSessionState.Remove()

36.37 Is there any way to know how much memory is being used by session variables in my application?

No