Configuring ASP.NET Applications to Use the Appropriate Session State

Applies To: Windows Server 2003, Windows Server 2003 with SP1

You can configure ASP.NET session state persistence in the <sessionState> section of the Machine.config file for all of the ASP.NET applications on the Web server, or you can configure it in the Web.config file for each ASP.NET application. If the <sessionState> section of the Web.config file for an ASP.NET application is empty, the session state configuration for the application is inherited from the <sessionState> section of the Machine.config file.

If the <sessionState> section does not exist in the Machine.config file or the Web.config file, the following is the default session state behavior:

• The session time-out value for an ASP.NET session state is 20 minutes.

• The session state is maintained within all of the applications running in the same application pool.

• The session state is only maintained on the local Web server (where the session state mode attribute is set to InProc), not across multiple servers in a Web farm.

In addition to the configuration settings that are specific to the mode you selected for maintaining session state, the following attributes need to be configured:

• The cookieless attribute. This attribute determines whether or not the session identifier is transferred between the Web server and the client by using cookies. When the cookieless attribute is set to True, cookies are not used to convey session identifiers. When the cookieless attribute is set to False, cookies are used to convey session identifiers. The default setting is False.

• The timeout attribute. This attribute specifies the number of minutes that a session is considered valid. When the time specified in the timeout attribute expires, the session is disconnected. The default time-out limit is 20 minutes.

Configure the session state settings in the <sessionState> section for the mode that you selected.

Session state is maintained in-process

To maintain session state in-process, you can either delete the <sessionState> section or configure the <sessionState> section in the Machine.config file or the Web.config file.

The following is an example of the configuration when maintaining session state in-process:

<configuration>
  <system.web>
     <sessionState 

         cookieless="true" 
         timeout="20" 
     </sessionState>
  </system.web>
</configuration>

Session state is maintained out-of-process with the ASP.NET state service

To configure ASP.NET to maintain session state with the ASP.NET state service, modify the following attributes in addition to the mode attribute:

• The stateConnectionString attribute. This attribute specifies the IP address and port number where the ASP.NET state service is running. The format for this attribute is **tcpip=**server:port, where server is the IP address or host name of the server, and port is the TCP port number that the ASP.NET state service is configured to use. The default port number is 42424.

• The stateNetworkTimeout attribute. This optional attribute specifies the length of time, in seconds, that the TCP/IP network connection between the Web server and the server running the ASP.NET state service can be idle before the session is abandoned. The default time-out limit is 10 seconds.

The following is an example of the configuration when maintaining session state out-of-process with the ASP.NET state service:

<configuration>
  <system.web>
     <sessionState 

         cookieless="true" 
         timeout="20" 

     </sessionState>
  </system.web>
</configuration>

Session state is maintained out-of-process with a computer running Microsoft SQL Server

To configure ASP.NET to maintain session state with a computer running SQL Server, modify the sqlConnectionStringattribute in addition to the mode attribute. The sqlConnectionStringattribute specifies the ODBC data connection string used for establishing the connection to the computer running SQL Server.

The format for the sqlConnectionStringattribute is **data source=**odbc_connection_string, where odbc_connection_string is any valid ODBC data connection string that is valid for the computer running SQL Server. For more information about creating ODBC data connection strings for Microsoft SQL Server, see How to allocate handles and connect to SQL Server (ODBC) on MSDN.

The following is an example of the configuration when maintaining session state out-of-process with a computer running SQL Server:

<configuration>
  <system.web>
     <sessionState 

         cookieless="true" 
         timeout="20" 

     </sessionState>
  </system.web>
</configuration>