ASP.NET supports different session state storage options:
Session State Service
As an alternative to using in-process storage for session state, ASP.NET provides the ASP.NET State Service. The State Service gives you an out-of-process alternative for storing session state that is not tied quite so closely to ASP. NET’s own process.
To use the State Service, you need to edit the
sessionStateelement in your ASP.NET application’s web.config file:
You’ll also need to start the ASP.NET State Service on the computer that you specified in the
stateConnectionStringattribute. The .NET Framework installs this service, but by default it’s set to manual startup. If you’re going to depend on it for storing session state, you’ll want to change that to automatic startup by using the Services MMC plug-in in the Administrative Tools group.
If you make these changes, and then repeat the previous set of steps, you’ll see slightly different behavior: session state persists even if you recycle the ASP.NET process.
There are two main advantages to using the State Service. First, it is not running in the same process as ASP.NET, so a crash of ASP.NET will not destroy session information. Second, the
stateConnectionStringthat’s used to locate the State Service includes the TCP/IP address of the service, which need not be running on the same computer as ASP.NET. This allows you to share state information across a web garden (multiple processors on the same computer) or even across a web farm (multiple servers running the application). With the default in-process storage, you can’t share state information between multiple instances of your application.
The major disadvantage of using the State Service is that it’s an external process, rather than part of ASP.NET. That means that reading and writing session state is slower than it would be if you kept the state in-process. And, of course, it’s one more process that you need to manage. As an example of the extra effort that this can entail, there is a bug in the initial release of the State Service that allows a determined attacker to crash the ASP.NET process remotely. If you’re using the State Service to store session state, you should install the patch from Microsoft Security Bulletin MS02-66, or install SP2 for the .NET Framework.
Microsoft SQL Server
The final choice for storing state information is to save it in a Microsoft SQL Server database. To use SQL Server for storing session state, you need to perform several setup steps:
Run the InstallSqlState.sql script on the Microsoft SQL Server where you intend to store session state. This script will create the necessary database and database objects. The .NET Framework installs this script in the same folder as its compilers and other tools–for example, C:WINNTMicrosoft.NETFrameworkv1.0.3705 on a Windows 2000 computer with the 1.0 version of the Framework. Edit the
sessionStateelement in the web.config file for your ASP.NET application as follows:
Supply the server name, user name, and password for a SQL Server account that has access to the session state database in the
Like the State Service, SQL Server lets you share session state among the processors in a web garden or the servers in a web farm. But you also get the additional benefit of persistent storage. Even if the computer hosting SQL Server crashes and is restarted, the session state information will still be present in the database, and will be available as soon as the database is running again. That’s because SQL Server, being an industrial-strength database, is designed to log its operations and protect your data at (almost) all costs. If you’re willing to invest in SQL Server clustering, you can keep the session state data available transparently to ASP.NET even if the primary SQL Server computer crashes.
Like the State Service, SQL Server is slower than keeping session state in process. You also need to pay additional licensing fees to use SQL Server for session state in a production application. And, of course, you need to worry about SQL Server-specific threats such as the “Slammer” worm.