ASP.NET Session and web.config explained


HyperText Transfer Protocol(HTTP) is stateless: a client computer running a web browser must establish a new (TCP) network connection to the web server with each new HTTP request. The web server, therefore, cannot rely on an established TCP network connection for longer than a single HTTP operation. 

Session management is the technique used by the web developer to make the stateless HTTP protocol support session state. 

For example, once a user has authenticated himself/herself to the web server, her next HTTP request should not cause the web server to ask her for her account and password again. 

Diagram : The below diagram along with its description will make you clear with what session management is..

1.gif

Steps carried out at session management behind the scenes

Step-1 :Authenticate User at first HTTP request

The basic funda is when a user first time logs in with correct username and password, you create a session variable for his next identification. 

You do this as - 

if(user is valid/authenticated user)
{
Session["username"] = UsernameTextBox.Text;
}

Step-2 : Generate a unique SessionId on successful authentication

Whenever a new session variable is created, A SessionId is generated by server for that particular session and is unique for identifying that session on next requests. 

Step-3 : Pass the SessionId to client

The session information is stored on the web server using the session identifier (session ID) generated as a result of the first (sometimes the first authenticated) request from the end user running a web browser. This generated SessionId is stored at server as well as it is passed to the client. 

Confused why? Let me clear it in point number 6.

Step-4 : Store the SessionId at client side

This SessionId is passed and stored at client as a cookie or in URL of your page. This depends on how you specify in web.config file:

Case I: sessionId (at client side) is stored in URL of Page

Note: Whenever a new request is made, this sessionId is appended to URL of requested page and sent to web application along with request.

Note: write below code in web.config file

<system.web>
<sessionState cookieless="true" />
</system.web>

Example :  mysite.com/S(HFFKSJ3F35R4W46HR435YFS)/myFolder/myPage.aspx

Case II: sessionId (at client side) is stored in a cookie. 

Note : Whenever a new request is made, this cookie is sent to web application along with request.

Note: write below code in web.config file

<system.web>
<sessionState cookieless="false" />
</system.web>

Step-5: Store SessionId at server side

SessionId which is generated at step number 1, is also stored at server.

Now at server, where?

This depends on your specifications in web.config file : 

Case I: Here sessionID is stored in the same worker process that runs your web application at server. This worker process is aspnet_wp.exe.

Note: write below code in web.config file

<system.web>
<sessionState cookieless="true"  mode="InProc"/>
</system.web>

Case II: Here sessionID is stored in the out-of-process that is a process different from worker process at server side. This process is aspnet_State.exe.
This process is called "ASP.NET State Service" : you can find this service in control Panel --> Administrative Tools --> Services. This server side service or process will store the sessionId

Note: write below code in web.config file

<system.web>
<sessionState cookieless="true"  mode="StateServer"/>
</system.web>

Case III: Here sessionID is stored in the out-of-process that is in a SQL server database table at server side. 

Note: write below code in web.config file

<system.web>
<sessionState cookieless="true"  mode="SQLServer"/>
</system.web>

Step 6: Verify the validity of session by verifying the two SessionIds on next HTTP request Now the question is, why the sessionId is stored at client as well as at server? Now, let us suppose that client is authenticated and above all steps gets executed properly.  Now when user navigates to some another page after login, do I need to check on second page whether the same user exists or say is user's session existing? Yes I need to check his session before displaying him/her or giving access to him to user specific resources. So, how do I do this?

Simply by checking the sessionId which is common to both server and the client. So, after sessionId generation, all future requests to web server will have sessionId check/compare. So when a user requests another page, the session id stored at client is passed to server along with the page request.

Again, 

if(you had set "cookieless=true", )
//the sessionId is appended to requested page's URL and sent to server. 
else If(you had set "cookieless=false", )
//then the sessionId is sent as a cookie to server along with the page request.

On server, the sessionId is verified against the ones stored by server itself, to check whether the session still is valid and still exists?

I hope you will find this article easy. Help improve this article if you have some points to share to make it more easy and knowledegable...

Thank You...