ASP.NET Session Management [Example]

โšก Smart Summary

ASP.NET Session Management lets a stateless HTTP application remember user data across requests. It explains ViewState, the Session object for storing key-value pairs, a working example, session state modes, timeout configuration, and the advantages of session state.

  • ๐ŸŒ Stateless HTTP: HTTP does not retain data between requests, so ASP.NET adds mechanisms to preserve state.
  • ๐Ÿ—‚๏ธ ViewState: ViewState automatically carries control values from one page to the next.
  • ๐Ÿ”‘ Session Object: Session[“Key”] stores and retrieves key-value pairs throughout the application lifecycle.
  • โš™๏ธ State Modes: Session state can be stored InProc, on a StateServer, in SQL Server, or a custom store.
  • โฑ๏ธ Timeout: The sessionState timeout in web.config controls how long a session stays alive.

ASP.NET Session Management Tutorial with Example

ASP.NET Session Management

The HTTP protocol on which all web applications work is a stateless protocol. By stateless, it just means that information is not retained from one request to another.

For instance, if you had a login page which has 2 textboxes, one for the name and the other for the password. When you click the Login button on that page, the application needs to ensure that the username and password get passed onto the next page.

In ASP.Net, this is done in a variety of ways. The first way is via a concept called ViewState. This is where ASP.Net automatically stores the contents of all the controls. It also ensures this is passed onto the next page. This is done via a property called the ViewState.

It is not ideal for a developer to change anything in the view state. This is because it should be handled by ASP.Net only.

ASP.NET Session object

The other way is to use an object called a “Session Object.” The Session object is available throughout the lifecycle of the application. You can store any number of key-value pairs in the Session object. So on any page, you can store a value in the Session object via the below line of code.

Session["Key"] = value

This stores the value in a Session object, and the ‘key’ part is used to give the value a name. This allows the value to be retrieved at a later point in time. To retrieve a value, you can simply issue the below statement.

Session["Key"]

ASP.NET Session object Example

In our example, we are going to use the Session object to store the name entered in the name textbox field on the page. We are then going to retrieve that value and display it on the page accordingly. Let’s add the below code to the Demo.aspx.cs file.

Use the Session Object

protected void btnSubmit_Click(object sender, EventArgs e)
{
	Session["Name"] = txtName.Text;

	Response.Write(Session["Name"]);

	lblName.Visible = false;
	txtName.Visible = false;
	lstLocation.Visible = false;
	chkC.Visible = false;
	chkASP.Visible = false;
	rdMale.Visible = false;
	rdFemale.Visible = false;
	btnSubmit.Visible = false;
}

Code Explanation:-

  1. The first line of code takes the value of the Name textbox control and stores it in the Session object. By specifying the code of Session[“Name”], we are giving the property a name called “Name.” By specifying a name for the property, it becomes easier to retrieve it at a later point in time.
  2. The next line of code retrieves the stored value from the Session object. It then writes this value via the ‘Response.Write’ method back to the client.
  3. Finally, we make all the controls on the form invisible. If we don’t do this, all the controls plus our response values will be displayed together.

Once you make the above changes, you will see the following output.

Output:

Use the Session Object

From the output, you can see that the Session value of name was retrieved and displayed in the browser.

ASP.NET Session State Modes

ASP.NET can store session data in several places, called session state modes. The mode you choose affects performance, scalability, and whether data survives an application restart. The table below compares them:

Mode Where state is stored Best for
InProc In the web server’s memory (default) Single-server apps; fastest, but lost on restart
StateServer A separate ASP.NET State Service process Web farms; survives application restarts
SQLServer A SQL Server database Web farms needing durable, scalable state
Custom A custom provider you implement Specialized stores such as Redis
Off Session state disabled Applications that do not need sessions

InProc is the default and the fastest, but for load-balanced deployments, StateServer or SQLServer keeps sessions available across multiple servers.

How to Configure Session Timeout in ASP.NET

A session does not last forever; it expires after a period of inactivity. You can set this timeout in the web.config file using the sessionState element, where the timeout value is in minutes:

<configuration>
  <system.web>
    <sessionState mode="InProc" timeout="20" />
  </system.web>
</configuration>

You can also set it in code with Session.Timeout = 30;. The default timeout is 20 minutes. Choosing a shorter timeout frees server memory faster and improves security, while a longer timeout keeps users logged in for longer.

Advantages and Disadvantages of Session State

Session state is convenient, but it has trade-offs you should weigh before relying on it heavily.

Advantages:

  • Simple to use for storing per-user data such as a shopping cart or login details.
  • Can store complex objects, not just strings.
  • Data is kept on the server, so it is more secure than client-side storage.

Disadvantages:

  • InProc mode consumes server memory and does not scale across a web farm.
  • Session data is lost when the session times out or the application restarts (in InProc mode).
  • Storing large amounts of data per user can hurt performance under heavy load.

FAQs

Yes. AI assistants can generate the code to store and read Session values, suggest the right state mode, and write the web.config settings. Review the generated code to confirm it fits your scalability and security needs.

Yes. AI-based code review tools can flag risks such as session fixation, missing HTTPS-only cookies, or storing sensitive data in session. Treat the findings as guidance and confirm fixes with security testing before deployment.

Session state stores data for a single user’s session, while Application state stores data shared by all users of the application. Use Session for per-user values and Application for global data such as counters or configuration.

No. Each user gets a separate session, identified by a unique session ID stored in a cookie. One user cannot read another user’s session values, which is why Session is used for per-user data.

Summarize this post with: