Overview of State Management in ASP.Net


  • State Management is the process by which the state and information of a page can be maintained over multiple requests.
  • ASP.NET provides several techniques to maintain the information. The choice depends on the scope of the data and performance considerations. One or more techniques can be used a single application depending on the needs.

There are various methods that are used for State Management. They are:

  1. View State
  2. Cookies
  3. Query String
  4. Session State
  5. Application State

All the preceding methods are used for State Management. View State, Cookies, Query String are methods of Client-Side State Management whereas Session State and Application State are methods of Server-Side State Management.

ASP.NET state management can be broadly divided into the following following two categories:

  1. Client-Side State Management
  2. Server-Side State Management

Client-Side State Management

In Client-Side State Management, the state of the page is maintained at the client side. The following are the various techniques to do Client-Side State Management.

  • View State
  • Cookies
  • Query String

In Client-Side State Management, data is stored at the client side and sent to the browser every time. This increases bandwidth usage. If the size of data is greater then the application will be less responsive. Performance issues would occur.

View State

  • This is Client-side State Method. Due to the stateless nature of the Http protocol, a page can't store any information for itself. View State is a method that is used to store some information related to a page or its variables, and so on for feature use. In View State the information is stored in an encoded manner.
  • When processed, the current state of the page and controls is hashed into a string and saved in the page as a hidden field. When the page is posted back to the server, the page parses the view state string at page initialization and restores property information in the page.
  • In other words, we can say that View State is a technique to persist data through server round trips on a single page.
  • View State uses a hidden field when the form is posted to store state of a client.
  • Each time a page is posted to itself, the contents of the _VIEWSTATE field are sent as part of the post.

Laminations of View State

  • View State can be used with a single page.
  • Since it store information as a hidden field, it can be seen in the source code in the browser. Hence it is not a secure way.
  • The performance issues arise with the increase in the size of the data stored as View State.


A cookie is another Client-Side State Management technique to store data and access it on another page. It is actually a small file stored in the client's RAM or on the hard disk. Cookies can be either temporary or permanent.

  • Temporary Cookies: Temporary Cookies are stored in the client's RAM. It is transferred with a request and a response. Internally all cookies are temporary. Consider a small example. If a default.aspx requests default2.aspx and cookies are sent then how does the web server know that the request is from the same client? Actually, on the first request from the client, a session id is given. A Session id is nothing but a series of hits by the same client. This session id is stored in the client's RAM and the next time the request comes, it checks for the file and considering the same session id, the page is rendered.
  • Permanent Cookies: Permanent Cookies are stored as a file on the client's hard disk. It is stored in a C:\Documents and Settings\Cookies folder. Permanent Cookies are created by setting the Expires property.

    For example: ck.Expires= Date and Time.NOW.AddSeconds(20);
    Cookies store a maximum of 4KB of information.

Laminations of Cookies

  • It is a small textual file so it can store a small amount of data.
  • Not secure since it is stored on the client side and can be tempered. For example, risk of username/password is being stored on the client machine.
  • In some cases, the browser blocks the cookies.

Query String

  • Query string is also a Client-Side State Management technique. It is the information that is appended to the URL.
  • A Query string can be viewed in the address bar of the browser.
  • The query string starts with a question mark (?) and attribute/value pair, called “category”.
  • A Query string provides a simple way to maintain state information. For example, they are an easy way to pass information from one page to another, such as passing a product number from one page to another page where it will be processed.
  • In order for query string values to be available during page processing, the page is submitted using an HTTP GET command.
  • Information that is passed in a query string cannot be used to send sensitive data since a user can send a URL to other users and pass the information.

Laminations of Query String

  • Not a secure way since it can be read and modified in the address bar of the browser.
  • Only a small amount of data can be transferred.
  • Some browsers also limit the length of a URL.

Server-Side State Management

In the Server-Side State Management, the state of the page is maintained at the server side. The following are the various techniques to do Server-Side State Management:

  • Application State (Variable)
  • Session State (Variable)
  • SQL Server database

Server-Side State Management provides better security. The state is saved on the server and therefore isn't delivered to the client. The server side reduces the traffic to and from the client because the data is not sent to the browser.

Application State (Variable)

  • Application state is a global storage mechanism that saves data that can be accessed from every web page in a web application. The data that is saved in the application variable is maintained between every request that is sent to the server.
  • The application state is maintained in the HTTP Application class that is implemented as a directory. The application variable holds data that is global for the web application and is not associated with a specific user. By placing the data in the application state you gain a single access point for shared application data. The data that you save in the application state isn't permanent and is cleaned whenever the application restarts.
  • It should be noted that many users might be accessing application state simultaneously so any call to application state object needs to be thread safe. This can be easily done in ASP.NET using the lock keyword on the statements that are accessing application state objects.

Session State (Variable)

  • A session is a series of requests made by the client. A new session starts when a user sends the first request to the web application. This means that every user of the web application will have a separate session state. The session state is used to store and retrieve information about the user as the user navigates from one page to another page in ASP.NET web applications.
  • The session has a timeout period and after the timeout the session data is lost and a new session is created for the user. The timeout occurs when the user is no longer active for a period of time. The session object is implemented as a key/value dictionary that is represented by an instance of the Http Session object.
  • The session is used for the following scenarios:
    - To track by user sessions.
    - Rise session management event.
    - Store session specific data.

Session objects are one of the intrinsic objects supported by ASP.NET. They provide a developer with a complete web session management solution.

Similar Articles