100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
.NET Framework

Session State in Web Forms

Understand how Web Forms tracks per-user data across requests with Session state, the tradeoffs between InProc, StateServer, and SQLServer modes, and common pitfalls.

Web Forms Data AccessIntermediate9 min readJul 10, 2026
Analogies

What Is Session State?

Session state, exposed through the HttpSessionState object accessible as Session in any page or user control, is a server-side, per-user dictionary of key-value pairs that persists across multiple requests from the same browser, unlike Page-level ViewState which only survives a single postback. The server identifies which Session belongs to which visitor via a SessionID, typically transmitted in a cookie (ASP.NET_SessionId), and common uses include a shopping cart, a multi-step wizard's in-progress data, or caching a logged-in user's profile so it doesn't need to be reloaded from the database on every page. Because Session is per-user and stored server-side, it consumes server memory or external storage for every active visitor, unlike Cache, which is a shared pool of data intended for reuse across all users.

🏏

Cricket analogy: A player's personal locker at the ground that only they can access throughout the match day, distinct from the shared team dressing room everyone uses, mirrors Session state being per-user server-side storage, unlike the shared Cache used by all visitors.

Session State Modes

The <sessionState> element in web.config's mode attribute controls where session data physically lives: InProc keeps it in the worker process's own memory, which is the fastest option but is lost entirely whenever the app pool recycles or the server restarts, and doesn't work correctly across a load-balanced web farm without sticky sessions. StateServer stores session data in a separate Windows service (aspnet_state) that can run on its own machine, surviving individual app pool recycles and working across a web farm, but every stored object must be serializable since it's copied out of process. SQLServer mode persists session data in a SQL Server database (via InProc or out-of-process serialization), the slowest but most durable option, surviving both app pool recycles and full server reboots, which matters for applications that can't tolerate losing an in-progress shopping cart during a deployment.

🏏

Cricket analogy: Keeping your scorecard notes scribbled in your own notebook (InProc, fast but lost if you misplace it) versus handing them to an official scorer's booth that keeps a backup (StateServer) versus submitting them to the league's central records office for permanent storage (SQLServer) mirrors the three session modes' tradeoffs.

xml
<!-- web.config -->
<system.web>
  <sessionState mode="StateServer"
                stateConnectionString="tcpip=127.0.0.1:42424"
                cookieless="false"
                timeout="20" />
</system.web>

Session Lifecycle and Timeout

Global.asax exposes Session_Start, which fires the first time a new visitor's Session is touched, and Session_End, which fires when a session expires or is explicitly abandoned — though Session_End only fires reliably in InProc mode, since StateServer and SQLServer modes don't notify the application when a session times out. Session.Timeout, defaulting to 20 minutes, controls how long a session stays valid after the last request from that visitor before it's discarded, and calling Session.Abandon() immediately ends the current session, commonly used on a logout page to clear any cart or authentication data right away rather than waiting for the timeout to elapse. By default, sessions are tracked via a cookie, but cookieless="true" in web.config embeds the SessionID directly in the URL instead, useful for clients that block cookies but risky because that ID can then leak through referrer headers or bookmarked links.

🏏

Cricket analogy: A drinks break called automatically if play stalls for too long, and a captain who can call an immediate strategic timeout rather than waiting for the scheduled break, mirrors Session.Timeout's automatic expiration versus an explicit Session.Abandon() call.

Session_End in Global.asax only fires reliably in InProc mode. If your app runs under StateServer or SQLServer mode (common in web farms), you cannot rely on Session_End for cleanup logic — plan for that logic to run elsewhere, such as a scheduled job or on next login.

Session State Pitfalls

Storing large or numerous objects in Session under InProc mode inflates the worker process's memory footprint for every concurrently active user, and since that memory is never reclaimed until the session times out or the app pool recycles, a busy site with bloated sessions can suffer memory pressure and even OutOfMemoryExceptions. In a load-balanced web farm, InProc sessions require configuring sticky sessions (also called session affinity) at the load balancer so a user's requests always land on the same server, since another server has no access to that in-memory data; switching to StateServer or SQLServer mode removes this constraint but requires every object stored in Session to be serializable. Finally, because a single browser can fire multiple concurrent requests (for example, two frames or an AJAX call alongside a normal postback), Session access isn't inherently thread-safe across those simultaneous requests to the same session, which can produce subtle race conditions if code assumes exclusive access.

🏏

Cricket analogy: A team hoarding excess equipment in a shared kit bag until it becomes too heavy to carry between grounds mirrors Session bloat in InProc mode gradually consuming server memory until performance degrades under load.

Never store large objects (like a full DataSet with thousands of rows) or non-serializable types (like an open SqlConnection) in Session, especially under StateServer or SQLServer mode, which requires serialization and will throw a runtime exception for non-serializable objects. In a web farm without sticky sessions configured, InProc session data silently appears to 'disappear' whenever a request lands on a different server than the one that set it.

  • Session state is per-user, server-side key-value storage identified by a SessionID, typically carried in a cookie.
  • InProc mode is fastest but volatile and requires sticky sessions in a web farm; StateServer and SQLServer modes survive recycles/restarts but require serializable objects.
  • Session.Timeout controls automatic expiration (default 20 minutes); Session.Abandon() ends a session immediately, commonly on logout.
  • Session_End in Global.asax only fires reliably under InProc mode, not StateServer or SQLServer.
  • Storing large or numerous objects in Session inflates server memory usage and can cause OutOfMemoryExceptions under InProc mode.
  • In a load-balanced farm, InProc sessions need sticky session affinity configured at the load balancer, or user data appears to vanish.
  • Session access is not inherently thread-safe across concurrent requests from the same browser (e.g., simultaneous AJAX calls).

Practice what you learned

Was this page helpful?

Topics covered

#NETFramework#ClassicASPNETWebFormsWebPagesStudyNotes#MicrosoftTechnologies#SessionStateInWebForms#Session#State#Web#Forms#WebDevelopment#StudyNotes#SkillVeris