Fun With .NET Sessions
Published on May 5, 2017 by arothstein
Web-based applications typically require the capacity to store and retain information on behalf of its users, for a finite period of time. That duration, referred to as the user’s “Session”, begins the moment the user first interacts with the application and ends at some arbitrary point-in-time after the user ceases interaction. The Session serves as a provisional allocation of memory, unique to each user, where data can be added during one page request and retrieved, manipulated or deleted during later page requests.
Envision an online clothing store, where you peruse the fall fashions and add items to your cart. Later, you glance over other sections like children’s, clearance and automotive, adding more items to your cart as you go. Along the way you may remove a few items and/or decide you want multiples of others. Once you’re ready to make a purchase, you arrive at the checkout and see all of your selections and quantities are accurately accounted for. After you check out, the cart is emptied and the process can start over. Sessions are a server-side technology that provide a foundation for this capability.
Session handling is built into .NET, and is a simple setup for web apps that are hosted on a single server. Too simple; there is no setup, you just start using Sessions. For web apps that are hosted on multiple servers (a farm), there are four key steps you need to follow:
- Create a Session database on a SQL Server
- Create SQL account with rights to Session database
- Add a directive to the web.config
- Ensure any objects to be stored in the Session are decorated as Serializable
Create Session Database
To create a session database on SQL server .NET must be installed on the machine you’re using to create the database. You will also need a SQL account with the ability to create databases, make schema changes and execute rights in msdb. For this example, I’ll be using a SQL account with sysadmin privileges on a 64-bit version of Windows running .NET 4.0.
Execute the aspnet_regsql command with the appropriate switches:
-U SQL account username
-P SQL account password
-ssadd Instructs aspnet_regsql to add support for Session state
-sstype c For custom database. Other options are t for using tempdb and p for ASPState.
-d Name of your new Session database. Used only when sstype is c
Create SQL Account
You will need a SQL account that has datareader, datawriter and execute stored procedure privileges within your newly created database. For simplicity, I usually grant this account db_owner rights.
Add Directive to web.config
The directive below needs to be added to your web.config, within the <system.web> section.
Note I’ve set the timeout attribute to a value of 200. This will keep a session alive for 200 minutes between user interactions. After 200 minutes of inactivity have passed, the session will be destroyed.
If you plan to store Objects in the Session, they must be decorated as Serializable. Without going into detail, this directive informs .NET the decorated class needs to express data-members in a format other than binary, like XML or SOAP, for the purposes of storage and retrieval. Again, this answer is fundamentally correct, but won’t earn you points on a quiz.
public class MyClass
. . .
If you’re a lowly web developer, like me, you may not have access to a Standard or Enterprise version of SQL Server. Fortunately, SQL Express is freely available from Microsoft. However, SQL Express doesn’t include the SQL Agent, which handles automating the deletion of expired session records. To overcome this limitation, you can write a script and have a Scheduled Task in Windows execute it.
SQLCMD is a command line utility which allows you to connect to a SQL Server, and execute SQL statements. In this example, we’re connecting to our Session database and executing the DeleteExpiredSessions procedure.
For a quick demonstration, view our YouTube video here
- POSTED IN: