Hopefully, you reached this page from the About Visual Basic ASP.NET Hub Page. If not, you might want to click the link above and go there.
The entire web is inherently "stateless" because it's a fundamental part of the http protocol which controls the way the entire web works. Click here for an overview of state in ASP.NET including links to articles describing other ways to maintain state. That article also shows how view state can look like session state (but it isn't). Session state is one way to maintain state. This article tells you what session state is and how to use it.
You can persist any .NET types using session state with the simple syntax:
Session("key") = myNetInformation
In fact, you can close down your application and still retrieve the session state sometime later. We'll see an example.
The difference with session state is that ...
- The server manages the state information.
- You can control how the information is managed.
Since this is server based state management, the default is for the server to simply save the information in memory, called InProc ("In Process") mode. Since most servers are responding to a lot of clients, this can quickly exhaust server memory if you're not careful. For that reason, session state has a built in Timeout property with a default of 20 minutes. If your application needs to save a lot of information in session state, you can use a SQL Server database with mode="SQLServer". If you need to make state available to multiple web servers in a server farm, you can use mode="StateServer" which stores session state in a separate process. Or you can code your own with mode="Custom". Code these modes in web.config like this:
<system.web>
<sessionState mode="Custom" ... />
...
</system.web>
The server uses a value called SessionID to identify the entire session. This is usually passed in a cookie, but you can tell the server to pass it as part of the URL instead by coding ...
<sessionState cookieless="true" />
... in the web.config file. If you would like to see how session state is preserved even between browser sessions, add cookieless="true" to <system.web> in web.config and then run a program that adds something to session state like this:
Protected Sub Page_Load(
ByVal sender As Object,
ByVal e As System.EventArgs
) Handles Me.Load
If Not IsPostBack Then
Dim theArray As New BitArray(
{True, False, True, True, False}
)
Session("saveBits") = theArray
End If
End Sub
You will see the SessionID as part of the URL something like this:
http://localhost:56348/WebSite1/(S(zzlgd2fltvcckm4tlpcye2ro))/default.aspx
The SessionID is the value inside S(...). If you're still within the Timeout of the session, you should be able to start a different application with code like this ...
Dim recoverBits As BitArray =
CType(Session("saveBits"), BitArray)
' The BitArray is zero based.
' True was saved in index location (2)
If recoverBits(2) = True Then
MsgBox("Got It!")
End If
... and use the URL ...
http://localhost:56348/WebSite1/(S(zzlgd2fltvcckm4tlpcye2ro))/theNewPage.aspx
... to retrieve the values from session state. (This example uses the Visual Studio integrated web server.) In fact, hijacking the SessionID and using it to retrieve all of the session information is one of the ways that security can be compromised. To prevent this, Microsoft recommends that if you use session state with any sensitive information, all communication between the client and server should be encrypted.
