0 out of 1 rated this helpful - Rate this topic

Session State

Published: February 29, 2012

Updated: February 29, 2012

Applies To: Windows Server 2012

Use the Session State feature page to configure the behavior of information maintained across browser sessions.

Related scenarios

Build an ASP.NET Website on IIS

UI Elements for Session State

The following tables describe the UI elements that are available on the feature page and in the Actions pane.

Feature Page Elements

Element Name

Description

Not enabled

Disables session state.

In process

Stores session state data for a managed-code application in the worker process where the application runs. This setting is the default.

Custom

Configures IIS to use a custom provider to handle session state for ASP.NET applications.

State Server

Enables the Windows Aspnet_state.exe state service and stores session state outside the worker process where the application runs. The advantage of this configuration is that session state is preserved when the application's worker process recycles. Using a state server is recommended for medium-sized web applications. The settings to configure are:

Connection string - sets the connection string that is used to connect to the state server.
Time-out (in seconds) - sets the time, in seconds, that the connection will be maintained. The default is 10 seconds.

Important
The Windows state service (Aspnet_state.exe) must be running for out-of-process session state to take effect. By default, this service is installed when ASP.NET is installed and is configured for manual start. Change the start behavior to Automatic.

SQL Server

Configures IIS to use a SQL Server database to store session state data instead of storing it in the worker process where the application runs. The advantage of this configuration is that session state is preserved when the application's worker process recycles. In addition, session state is preserved if either the Windows state service or the web server goes down. The settings to configure are:

Connection string - sets the connection string that is used to connect to the state server.
Time-out (in seconds) - sets the time, in seconds, that the connection will be maintained. The default is 10 seconds.

Important
Before you configure a SQL Server for session state, run the InstallSqlState.sql script on the server. By default, this script is stored in systemroot\Microsoft.NET\Framework\V2.0.50727.

Enable custom database

Enables a custom SQL Server database for storing session state data.

Mode

Defines how cookies are used to store session state data. The options are:

Auto Detect - uses cookies if the browser supports cookies; otherwise, no cookies are used. For desktop browsers that are known to support cookies, ASP.NET tries to use cookies when cookie support is enabled in the browser. When you use the Auto-Detect cookie mode, you should require that expired session IDs be regenerated. Doing this task lets a web server expire and regenerate tokens, which give potential attackers less time to capture a cookie and gain access to Web server content. Also consider changing the time-out value to less than the 20-minute default.
Use Cookies - associates session information with client information for the duration of a user's connection to a website. Cookies are passed on together with all requests between a client and a Web server in an HTTP header. Using cookies is a more efficient way to track session state than any of the methods that do not use cookies, because cookies do not require any redirection. Additionally, cookies let users bookmark web pages, and they retain state if a user leaves one site to visit another and then returns to the original site.

Note
Consider changing the time-out value to less than the 20-minute default so a potential attacker has less time to capture a cookie and gain access to website content.

Use Device Profile - uses cookies if the device profile supports cookies, otherwise, no cookies are used. If the device profile indicates support for cookies, they are used regardless of whether the user has disabled cookie support. When you use the Use Device Profile cookie mode, you should require that expired session IDs be regenerated. Doing this task lets a web server expire and regenerate tokens, which give potential attackers less time to capture a cookie and gain access to Web server content. Also consider changing the time-out value to less than the 20-minute default.
Use URI - embeds the session ID as a query string in the Uniform Resource Identifier (URI) request, and then the URI is redirected to the originally requested URL. The changed URI request is used for the duration of the session, so no cookie is necessary. When you use a URI, require that expired session IDs be regenerated. Doing this task lets a web server expire and regenerate tokens, which give potential attackers less time to capture a cookie and gain access to Web server content.

Name

Sets a name for the cookie. The default is ASP.NET_SessionID.

Time-out (in minutes)

Sets the time, in minutes, that a cookie persists. The default is 20 minutes.

Regenerate expired session ID

Tells IIS to reject and reissue session IDs that do not have corresponding sessions active in the database. By default, this feature is supported only for cookieless session IDs, but this feature can be extended in order to manage cookie/arbitrary session IDs by implementing a custom session ID manager.

Use hosting identity for impersonation

Enables Windows authentication and the host process identity (either ASP.NET or a Windows service identity) for remote connections.

Actions Pane Elements

Element Name	Description
Apply	Saves the changes that you have made on the feature page.
Cancel	Cancels the changes that you have made on the feature page.

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)

Community Additions

ADD