ASP.NET Session State enables us to store and retrieve user information as user navigates from one page to another. User information is stored in server memory for limited period of time, and information of each client is stored separately. By default Session state is enabled for all Asp.Net application. 

If user is idle for limited period of time then Session for that user will expire. By default the timeout period of session state is 30 minutes, but if we need we can change the timeout period manually.

Session Variable

Session variables are stored in a SessionStateItemCollection object that is exposed through the HttpContextSession() property. The collection of session variables can be indexed by the name of variable or number index. 

Example

Session["FirstName"] = FirstNameTextBox.Text;
Session["LastName"] = LastNameTextBox.Text;
// When retrieving an object from session state, cast it to
// the appropriate type.
ArrayList stockPicks = (ArrayList)Session["StockPicks"];
String firstname=(String)Session[“FirstName”]; 
// Write the modified stock picks list back to session state.
Session["StockPicks"] = stockPicks;

Session Identifiers

Sessions are identified by a unique identifier which can be read by using SessionID() property of Session. If session is enabled for ASP.Net, each time request for a page is sent form user session id is examined. If session id is not supplied then new session id for that request is created and is sent to the browser with response.

By default session id is stored in cookies but we can also store it in URL for cookieless session. A session is considered active as long as requests continue to be made with the same SessionID() value. If the time between requests for a particular session exceeds the specified time-out value in minutes, the session is considered expired. Requests made with an expired SessionID() value result in a new session

Cookieless SessionIDs

By default, the SessionID() value is stored in a non-expiring session cookie in the browser. However, it can be specified that session identifiers should not be stored in a cookie by setting the cookieless attribute to true in the sessionState section of the Web.config file.

Example

Web.config file that configures cookieless session identifiers

<configuration>
  <system.web>
    <sessionState cookieless="true"
      regenerateExpiredSessionId="true"/>
  </system.web>
</configuration>

ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page's URL.

Example

http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx

here the unique session id is “lit3py55t21z5v55vlm25s55” which is added to the URL.

Session Modes

ASP.NET session state supports several storage options for session variables. Each option is identified as a session-state Mode() type. The default behavior is to store session variables in the memory space of the ASP.NET worker process. However, we can also specify that session state should be stored in a separate process, in a SQL Server database, or in a custom data source. If we do not want session state enabled for your application, you can set the session mode to Off().

The following list describes the available session state modes:       

• InProc mode, which stores session state in memory on the Web server. This is the default.
•           StateServer mode, which stores session state in a separate process called the ASP.NET state service. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers   in  a Web farm.
•            SQLServer mode stores session state in a SQL Server database. This ensures that session state is preserved if the Web application is restarted and also   makes session state available to multiple Web servers in a Web farm.
•            Custom mode, which enables you to specify a custom storage provider.
•             Off mode, this disables session state.

Session Events

ASP.NET provides two events, Session_OnStart and Session_OnEnd. The Session_OnStart event is raised when a new session starts, and the Session_OnEnd event is raised when a session is abandoned or expires. Session events are specified in the Global.asax file for an ASP.NET application.

Session_OnEnd is only supported in InProc mode, so inorder to use Session_OnEnd session mode should be set to InProc mode.