Session State

ASP.NET session state enables you to store and retrieve values for a user as the user navigates ASP.NET pages in a Web application. HTTP is a 

stateless protocol. This means that a Web server treats each HTTP request for a page as an independent request. The server retains no 

knowledge of variable values that were used during previous requests. ASP.NET session state identifies requests from the same browser 

during a limited time window as a session, and provides a way to persist variable values for the duration of that session. By default, ASP.NET 

session state is enabled for all ASP.NET applications.

Session["FirstName"] = TxtFirstName.Text;

ArrayList stockPicks = (ArrayList)Session["StockPicks"];
Session["StockPicks"] = stockPicks;

By default the Session will be created within the same process that your web site runs in (InProc).  This is controlled by a setting in the 

web.config file:

<sessionState mode="InProc" />

Although running the Session In Process is very convenient,  it does mean that all Session values will be lost whenever the application 

recycles (such as when deploying updates) .  There are alternate modes you can use that will allow the Session state to survive even when the 

application recycles.  

The available options are:

Off - No session state will be stored
InProc - (The Default) Session state exists within the process the web is using.
StateServer - Session data is sent to the configured stateserver service.
SQLServer - Session data is store in the configured sql server database.

Both the StateServer mode and the SQLServer mode allow Session state to survive an application recycle.  But, when storing reference type 

objects (such as class instances), they can only be stored to StateServer or SQLServer if they have been marked with the Serializable attribute.

An important consideration for using Session state is that the Session does expire.  By default, if a user does not access their Session data 

within 20 minutes (by default), the Session will expire and all items that had been stored in the Session will be discarded. Because of this, it 

is important to check the object that is returned from the Session to see if it exists or if it is null before you try to work with it. For example:

object sessionObject = Session["someObject"];
if (sessionObject != null) {
 myLabel.Text = sessionObject.ToString();
}
The Session Timeout is adjustable through a web.config setting but increasing the timeout value can put memory pressure on your server that 

may be undesirable.

<sessionState timeout="number of minutes" />

Other commonly used Session methods are:

Session.Abandon() - removes the Session and all items that it contains
Session.Clear() - removes all items from the Session
Session.RemoveAll() - removes all items from the Session
Session.Remove("itemName") - removes the item that was stored under the name "itemName"

Configuring Session State

Session state is configured by using the sessionState element of the system.web configuration section. 

The sessionState element enables you to specify the following options:

The mode in which the session will store data.
The way in which session identifier values are sent between the client and the server.
The session Timeout value.
Supporting values that are based on the session Mode setting.

The following example shows a sessionState element that configures an application for SQLServer session mode. It sets the Timeout value to 

30 minutes, and specifies that session identifiers are stored in the URL.

<sessionState mode="SQLServer"
  cookieless="true "
  regenerateExpiredSessionId="true "
  timeout="30"
  sqlConnectionString="Data Source=MySqlServer;Integrated Security=SSPI;"
  stateNetworkTimeout="30"/>
You can disable session state for an application by setting the session-state mode to Off.