Part of the
You Can Learn ASP.Net and C# series.
By Ken Brown
Updated: January 30, 2005
Session state is a server side tool for managing state. Every time your
web app goes to the server to get the next request, the server has to know how
much of the last web page needs to be "remembered" when the new information is
sent to the web page. The process of knowing the values of controls and
variables is known as state management.
When a page postback occurs, ASP.Net has many techniques to remember state
information. Some of these state management information methods are on the
client side and others are on the server side. Client side methods for
maintaining state include query strings, cookies, hidden fields and view state.
Most client side state management modes can be read by users and other
programs, meaning that user ids and passwords can be stolen. But session state
sits on the server and the ability for other users to capture this information
is reduced and in some cases eliminated.
Session State is Server Side
Session state is server side. In session state, a special session id is stored
on the server. This session id identifies a specific ASP.Net application. The
session id is assigned to the calling browser.
The importance of this method is the server, especially in a web farm, can know
if a particular user is a new user or has already visited this web page.
Imagine in a web farm, where you have multiple servers serving the same web
page. How do the servers recognize unique visitors? It is through the session
id. Even if server one gets the initial request, server two and server three
can recognize user A as already having a session in process.
Now the server can store session specific information about the current user.
Is there highly critical sensitive information about the user that needs to be
remembered? Like credit card information or name, address and phone number?
This information can be kept out of the prying eyes of internet identity
thieves with session state.
How to Set Session State
To set session state, it is as easy as setting a key value pair:
Session["Name"] = txtName.Text; or Session.Add("Name",txtName.Text);
Then to retrieve session state after the postback
txtName.Text = Session["Name"].ToString();
You can store simple objects like strings into the session state and you can
also store more complex objects like arrays and structs and any object derived
Here is a list of supported methods of the HttpSessionState class.