Controlling Session Behavior in ASP.Net MVC

Introduction

ASP.NET MVC supports session state. As we know sessions are used to store data used across requests. ASP.NET MVC manages session data whether or not we store data in the session. Now with MVC, we can disable the session for the controller. This concept is called a sessionless controller.

Sessionless Controller

It is possible to disable the session for a controller. It may be that some of the controllers of our application do not use the session state feature. We can disable the session for those controllers using the SessionStateAttribute (set session state Behavior to Disabled) and we can get a slight performance improvement for our application.

Example

[SessionState(System.Web.SessionState.SessionStateBehavior. Disabled)]

public class HomeController : Controller
{
          ……
          ……
}

If we mark our controller as sessionless and we still try to access a session within the controller then it throws the exception “Object reference not set to an instance of an object”.

Example code

[SessionState(System.Web.SessionState.SessionStateBehavior. Disabled)]

public class HomeController : Controller
{
    public ActionResult Index()
    {
        ViewBag.Message = "Welcome to ASP.NET MVC!";
        Session["test"] = "Session less controller test";
        return View();
    }
}

Output

Session less Controller

Session State Behavior

The SessionState attribute in MVC provides more control over the behavior of the session state by specifying the value of the behavior property (this is a read-only property but we can set it using a parameterized contractor of the SessionStateAttribute).
 
Enumeration Value Description
Default The default ASP.NET logic is used to determine the session state behavior for the controller.
Required Full read and write session state behavior is enabled for the request.
ReadOnly Read-only session state is enabled for the request. In other words we can read the data from the session but we cannot write the data into the session.
Disabled Session State is disabled for the current request.

Session less controller and TempData

TempData in MVC uses session state internally to store the data. So when we disable the session state for the controller, it will throw the exception as below.

[SessionState(System.Web.SessionState.SessionStateBehavior.Disabled)]
public class HomeController : Controller

    public ActionResult Index()
    {
        ViewBag.Message = "Welcome to ASP.NET MVC!";
        TempData["test"] = "session less controller test";
        return View();
    }
}

Output

Session less controller and TempData

Conclusion

The SessionState attribute specifies the session state behavior at the controller level. This attribute is a class level attribute so we cannot use it in a method (or at an action level). This attribute is very useful when we require specific behavior of session state for a specific controller. For example, for any controller, we do not want to use a session state; at this time we can mark this controller with the SessionState attribute and the behavior is disabled.