Tuesday, April 20, 2010

State Management (Session)

A session is defined as the period of time that a unique user interacts with a Web application.

Session provides the facility to store information on server memory.

Programmatically, session state is nothing more than memory in the shape of a dictionary or hash table, e.g. key-value pairs, which can be set and read for the duration of a user's session. For example, a user selects stocks to track and the Web application can store these values in the user's ASP session instance:

On subsequent pages these values are read and the Web application has access to these values without the user re-entering them:

Advantages and Disadvantages of Session ?
Following are the basic advantages and disadvantages of using session.
Advantages :
  • It helps to maintain user states and data to all over the application.
  • It can easily be implemented and we can store any kind of object. 
  • Stores every client data separately. 
  • Session is secure and transparent from user.
Disadvantages : 
  • Performance overhead in case of large volume of user, because of session data stored in server memory.
  • Overhead involved in serializing and De-Serializing session Data. because In case of StateServer and SQLServer session mode we need to serialize the object before store.

Session ID

Asp.Net use 120 bit identifier to track each session. This is secure enough and can't be reverse engineered. When client communicate with server, only  session id is transmitted, between them. When client request for data, ASP.NET looks on to session ID and retrieves corresponding data. This is done in following steps,
  • Client hits web site and some information is stored in session. 
  • Server creates a unique session ID for that clients and stored in Session State Provider
  • Again client request For some information with that unique session ID from Server.
  • Server,looks on Session Providers, and retrieve the serialized data from state server  and type cast the object . 

Session Event 

There are two types of session events available in asp.net.
  • Session_Start
  • Session_End
you  can handle both this event in global.asax file of  your web application. When a new session initiate session_start event raised and Session_End event raised when a session is abandoned or expired.
    Session configuration
    Below is a sample config.web file used to configure the session state settings for an ASP.NET application:

    sqlconnectionstring="data source=;user id="" password="password"


    The settings above are used to configure ASP.NET session state. Let's look at each in more detail and cover the various uses afterward.
    • Mode. The mode setting supports three options: inproc, sqlserver, and stateserver. As stated earlier, ASP.NET supports two modes: in process and out of process. There are also two options for out-of-process state management: memory based (stateserver), and SQL Server based (sqlserver). We'll discuss implementing these options shortly.Inpoc mode is by default and time duration is 30 minutes by default.
    • Cookieless. The cookieless option for ASP.NET is configured with this simple Boolean setting.
    • Timeout. This option controls the length of time a session is considered valid. The session timeout is a sliding value; for each request the timeout period is set to the current time plus the timeout value
    • Sqlconnectionstring. The sqlconnectionstring identifies the database connection string that names the database used for mode sqlserver.
    • Server. In the out-of-process mode stateserver, it names the server that is running the required Windows NT service: ASPState.
    • Port. The port setting, which accompanies the server setting, identifies the port number that corresponds to the server setting for mode stateserver.

    Session Mode and State Provider.

    In ASP.NET there are following session mode available.
    1. InProc
    2. Out-of-Process
      Out of Process can categorized in three parts

    For every session State, there is Session Provider. Following diagram will show you how they are related.

    we can choose the session State Provider based on which session state we are selecting. When ASP.NET request for any information based on session ID, session state and its corresponding provider are responsible for sending the proper information based on user. Following tables show, the session mode along with there provider Name.
    Session State Mode State Provider
    InProc  In-Memory Object
    StateServer Aspnet_state.exe
    SQLServer DataBase
    Custom CustomProvider
    apart from that, there is another mode, "Off". If we select this option the session will be disabled for the application.

    Advantages and Disadvantages of In-Process

    Advantages :

    • It store Session data in memory object of current application domain. So  accessing data is very fast and data is easily available.

  • There is not requirements of serialization to store data in InProc Session Mode.

  • Implementation is very easy,just similar to using View State.

  • Disadvantages :
    Although InProc Session is fastest, common and default mechanism, It has lots of limitation.
    • If the worker Process or application domain recycles all session data will be lost.
    • Though its fastest, but more session data and more users can affects performance, because of memory.
    • We can't use it in web Garden scenarios.
    • This session mode is not suitable for web farm scenarios also.

    StateServer Session Mode

    Overview of StateServer Session Mode :

    This is also called Out-Proc session mode. StateServer uses a stand-alone Windows Services, which is Independent to IIS and can also run on a separate server. This session state is totally managed by aspnet_state.exe. This server may runs on the same system, but it's out side of that main application domain where your web application is running. This allow if you restart your asp.net process restarted your session data will be alive. This approaches has several disadvantages due to the overhead of serialization and de-serialization, its also increases the cost of data access because of every time when user retrieves session data, our application hits a different process.
    In StateServer  the Session data is stored in a separate Server which is Independent to IIS and it handled by aspnet_state.exe. This process is run as windows Services.You can start this service from windows MMC or from command prompt.  From command from just typing "net start aspnet_state".

    In  stateserver mode data should be serializable.

    SQL Server Session Mode :

    Overview of SQL Server Session Mode :

    This session mode provide us more secure and reliable Session management in asp.net.In this session mode,the Session data is serialized and stored in the SQL Server database.Main disadvantages of this session storage methods is overhead related with Data Serialization and De-Serialization.It is the best option for using in the web farms.

    To setup SQL Server we need to take help of two sql Script.
    • For Installing: InstallSqlState.sql
    • For Un-Installing:UninstallSQLState.sql
    The most easiest way to configure SQL Server, is using aspnet_regsql command. 
    I have explained the detailed use of these file in configuration section. This is the most useful state management in the web farm scenario.

    When should we use SQL Server Session Mode ? 

    • SQL Server Session mode is more reliable and secure session state management.
    • Its keeps data in a centralized location (database).
    • We should use SQL server session mode when we need to implement Session with some more security.
    • If there happens to be frequent server Restart we can implement SQL server.
    • This is perfect mode that fits in web farm and web garden scenarios.
    • We can use SQL server Session mode when we need to share session between two different application.

    Configuration for SQL Server Session Mode  

    In SQL Server  Session mode, we are storing session data in a SQL Server, so we need to first provide the database connection string in web.config . sqlConnectionString attribute is used to provide the connection string in web.config.

    After setup the connection string we need to configure the SQL Server. I am explaining how to configure your your SQL server using aspnet_regsql command.
    Step 1: From Command prompt, Go to your Framework Version Directory

    E.g :c:\windows\microsoft.net\framework\<version>.

    Step 2 : Run aspnet_regsql command with following parameters

    Have a look on the parameter and there uses
    Parameters   Description
    -ssadd Add support for SQLServer mode session state.
    -sstype p P is stands for Persisted. Its persist the session data on server
    -S Specify Server Name
    -U Specify User Name
    -P Specify Password
    After run you will get the following message,

    that's all .
    Step 3 : Open SQL Server Management Studio, Check, A new database ASPState has been created  and there should be two tables,
    • ASPStateTempApplications 
    • ASPStateTempSessions

    Advantages and Disadvantages 

    Advantages :
    • Session data do not  affected if we restart the IIS.
    • It is the most reliable and secure session management.
    • It keeps data located centrally ,  It can be easily accessible from other application.
    • It is very useful in web farm and web garden scenarios.
    Disadvantages :
    • Processing is very slow in nature.
    • Object serialization and de-serialization creates overhead  for application.
    • As the session data is handled in different server, so we have to take care of SQL server. It should be always up and running.

    Custom Session Mode  

    Overview of Custom Session Mode : 

    Generally we use either of InProc, StateServer or SQL Server  Session mode for our application, but we also  need to know the fundamental of Custom Session mode. This session mode is quite interesting, because Custom session gives full control to us to create every thing even session ID.You can write your own algorithm to generate session ID.
    You can implement custom providers that store session data in other storage mechanisms simply by deriving from SessionStateStoreProviderBase Class. You can also Generate New Session Id by Implementing ISessionIDManager.
    This are the following methods are called during implementation of Custom Session

    In Initialize methods we can set the Custom Provider. This will initialize the connection with that specified provider.SetItemExpireCallback used to set SessionTimeOut, we can register any methods that will call at the time of session expire. InitializeRequest is called on every request and CreateNewStoreData used to create a new instance of SessionStateStoreData .

    When should we use Custom Session Mode ?

    we can use custom session mode in following of the cases,
    • We want to store session data rather than SQL Server.
    • When we have to use some existing table to store session data.
    • When we need to create our own session ID.

    What configuration do we need for it?  

    We need to configure our web.config like below,

    Advantages and Disadvantages 

    Advantages :

    • We can use some existing table for the store session data,It is useful when we have to use some old database rather than SQL Server.

    • It's not depending on IIS , So restarting web server does not make any effects on session data.
    • We can crate our own algorithm for generating Session ID.
    Disadvantages :
    • Processing of Data is very slow.
    • Creating a custom state provider is a low-level task that needs to be handled carefully to ensure security.
    Its always recommended to use any third party provider rather than creating your own.

    No comments: