Introduction
Every ASP.NET application needs to manage client session information because of stateless nature of HTTP protocol. A question that is often asked in newsgroups, forums, and mailing lists is that, how does ASP.NET Session Management work, and which technique in ASP.NET is the best way to manage session in a web farm or high volume web site with large number of concurrent users? We will begin with a quick overview of ASP.NET session management alternatives, then dive into ASP.NET Session Management internals, and make some recommendations at the end.
ASP.NET Session Management Alternatives:
ASP.NET provides three modes of session state storage controlled by mode attribute of <sessionState> tag in your web application�s Web.config file. Below is a sample of this tag:
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20" />
| Attribute |
Option |
Description |
mode |
|
Specifies where to store the session state. |
| |
Off |
Disables session state management. |
| |
InProc |
Session state is stored locally in memory of ASP.NET worker process. |
| |
StateServer |
Session state is stored outside ASP.NET worker process and is managed by Windows service. Location of this service is specified by stateConnectionString attribute. |
| |
SQLServer |
Session state is stored outside ASP.NET worker process in SQL Server database. Location of this database is represented by sqlConnectionString attribute. |
Now, let�s take a look at session storage internals.
We access Session data through a property named Session. This Session property is exposed by System.Web.HttpContext class and System.Web.UI.Page. (Every ASP.NET page is converted in a class which derives from Page class.) This Session property is an object of HttpSessionState class in System.Web.SessionState namespace as shown above.
HttpSession object has a private member _dict of type SessionDictionary (namespace System.Web.SessionState) as shown below:
private SessionDictionary _dict;
SessionDictionary is an internal class which derives from NameObjectCollectionBase.
The relationship is depicted in a small class diagram:
The most important piece of the session state management puzzle is a HttpModule called SessionStateModule. This HttpModule talks to session state providers and hydrates HttpSessionState for each HTTP request. This HttpModule is listed in your machine.config file in <httpModules> section.
I reproduced part of this section from machine.config file from my computer, for reference:
<httpModules>
<add name="OutputCache" type="System.Web.Caching.OutputCacheModule"/>
<add name="Session" type="System.Web.SessionState.SessionStateModule"/>
.
.
.
</httpModules>
For every HTTP request to your page in your ASP.NET application, an object of type HttpWorkerRequest is created and is served by an instance of HttpApplication class. (For complete discussion of HTTP Pipeline model, check URLs mentioned in References.)
During the processing of this request, InitModules() method of HttpApplication class is called.
Figure 3 below depicts the entire call sequence:
Inside InitModules(), all the modules listed under <system.web>/<httpModules> section are initialized, i.e., Init method of each of these HttpModules is called, i.e.. Init method of SessionStateModule is called. In the Init method of SessionStateModule, session state settings are read from <system.web>/<sessionState> section of web.config file of your ASP.NET application, and then it calls another method InitModuleFromConfig. The signature of this method is listed below:
private void InitModuleFromConfig(HttpApplication app,
Config config, bool configInit);
The parameter app represents the instance of HttpApplication class that is being used to serve the HTTP request.
InitModuleFromConfig adds various event handlers for session management related events that are raised from InitInternal() method of HttpApplication.
Table below shows which EventHandlers in SessionStateModule are tied to which events of HttpApplication class.
| Table : HttpApplication Events handled by the SessionStateModule EventHandlers |
| Event |
EventHandlers |
AcquireRequestState |
BeginAcquireState, EndAcquireState |
ReleaseRequestState |
OnReleaseState |
EndRequest |
OnEndRequest |
Please note that, at this point, the session state data has not been acquired. There is one more important thing that happens after the above mentioned EventHandlers are tied. Based on attribute values settings of <system.web>/<sessionState> section in your ASP.NET application's config file, the session state provider is tied to SessionStateModule.
All the session state providers implement the interface IStateClientManager.
Table below shows the type of object used to manage state based on value of the mode attribute of sessionStateTag:
| Session State Provider based on mode attribute of <System.web>\<sessionState> |
| mode |
Class Handling Session State |
InProc |
InProcStateClientManager |
StateServer |
OutOfProcStateClientManager |
SQLServer |
SqlStateClientManager |
This session state provider or StateClientManager is stored in a private variable of SessionStateModule.
Once Init() method of SessionStateModule returns control to InitInternal method of HttpApplication, processing continues and AcquireRequestState event is raised.
It is at this point that session state is actually acquired. When this event is raised, the event handler (BeginAcquireState) in SessionStateModule which was tied earlier is called which then calls GetSessionStateItem of SessionStateModule which then asks StateClientManager to get the session state.
In order to judge the performance difference, we will look into each of these StateClientManagers and see how the session data is actually stored and retrieved. For this and more, stay tuned for Part II.
References:
