What Is Session State?
Session state, exposed through the HttpSessionState object accessible as Session in any page or user control, is a server-side, per-user dictionary of key-value pairs that persists across multiple requests from the same browser, unlike Page-level ViewState which only survives a single postback. The server identifies which Session belongs to which visitor via a SessionID, typically transmitted in a cookie (ASP.NET_SessionId), and common uses include a shopping cart, a multi-step wizard's in-progress data, or caching a logged-in user's profile so it doesn't need to be reloaded from the database on every page. Because Session is per-user and stored server-side, it consumes server memory or external storage for every active visitor, unlike Cache, which is a shared pool of data intended for reuse across all users.
Cricket analogy: A player's personal locker at the ground that only they can access throughout the match day, distinct from the shared team dressing room everyone uses, mirrors Session state being per-user server-side storage, unlike the shared Cache used by all visitors.
Session State Modes
The <sessionState> element in web.config's mode attribute controls where session data physically lives: InProc keeps it in the worker process's own memory, which is the fastest option but is lost entirely whenever the app pool recycles or the server restarts, and doesn't work correctly across a load-balanced web farm without sticky sessions. StateServer stores session data in a separate Windows service (aspnet_state) that can run on its own machine, surviving individual app pool recycles and working across a web farm, but every stored object must be serializable since it's copied out of process. SQLServer mode persists session data in a SQL Server database (via InProc or out-of-process serialization), the slowest but most durable option, surviving both app pool recycles and full server reboots, which matters for applications that can't tolerate losing an in-progress shopping cart during a deployment.
Cricket analogy: Keeping your scorecard notes scribbled in your own notebook (InProc, fast but lost if you misplace it) versus handing them to an official scorer's booth that keeps a backup (StateServer) versus submitting them to the league's central records office for permanent storage (SQLServer) mirrors the three session modes' tradeoffs.
<!-- web.config -->
<system.web>
<sessionState mode="StateServer"
stateConnectionString="tcpip=127.0.0.1:42424"
cookieless="false"
timeout="20" />
</system.web>Session Lifecycle and Timeout
Global.asax exposes Session_Start, which fires the first time a new visitor's Session is touched, and Session_End, which fires when a session expires or is explicitly abandoned — though Session_End only fires reliably in InProc mode, since StateServer and SQLServer modes don't notify the application when a session times out. Session.Timeout, defaulting to 20 minutes, controls how long a session stays valid after the last request from that visitor before it's discarded, and calling Session.Abandon() immediately ends the current session, commonly used on a logout page to clear any cart or authentication data right away rather than waiting for the timeout to elapse. By default, sessions are tracked via a cookie, but cookieless="true" in web.config embeds the SessionID directly in the URL instead, useful for clients that block cookies but risky because that ID can then leak through referrer headers or bookmarked links.
Cricket analogy: A drinks break called automatically if play stalls for too long, and a captain who can call an immediate strategic timeout rather than waiting for the scheduled break, mirrors Session.Timeout's automatic expiration versus an explicit Session.Abandon() call.
Session_End in Global.asax only fires reliably in InProc mode. If your app runs under StateServer or SQLServer mode (common in web farms), you cannot rely on Session_End for cleanup logic — plan for that logic to run elsewhere, such as a scheduled job or on next login.
Session State Pitfalls
Storing large or numerous objects in Session under InProc mode inflates the worker process's memory footprint for every concurrently active user, and since that memory is never reclaimed until the session times out or the app pool recycles, a busy site with bloated sessions can suffer memory pressure and even OutOfMemoryExceptions. In a load-balanced web farm, InProc sessions require configuring sticky sessions (also called session affinity) at the load balancer so a user's requests always land on the same server, since another server has no access to that in-memory data; switching to StateServer or SQLServer mode removes this constraint but requires every object stored in Session to be serializable. Finally, because a single browser can fire multiple concurrent requests (for example, two frames or an AJAX call alongside a normal postback), Session access isn't inherently thread-safe across those simultaneous requests to the same session, which can produce subtle race conditions if code assumes exclusive access.
Cricket analogy: A team hoarding excess equipment in a shared kit bag until it becomes too heavy to carry between grounds mirrors Session bloat in InProc mode gradually consuming server memory until performance degrades under load.
Never store large objects (like a full DataSet with thousands of rows) or non-serializable types (like an open SqlConnection) in Session, especially under StateServer or SQLServer mode, which requires serialization and will throw a runtime exception for non-serializable objects. In a web farm without sticky sessions configured, InProc session data silently appears to 'disappear' whenever a request lands on a different server than the one that set it.
- Session state is per-user, server-side key-value storage identified by a SessionID, typically carried in a cookie.
- InProc mode is fastest but volatile and requires sticky sessions in a web farm; StateServer and SQLServer modes survive recycles/restarts but require serializable objects.
- Session.Timeout controls automatic expiration (default 20 minutes); Session.Abandon() ends a session immediately, commonly on logout.
- Session_End in Global.asax only fires reliably under InProc mode, not StateServer or SQLServer.
- Storing large or numerous objects in Session inflates server memory usage and can cause OutOfMemoryExceptions under InProc mode.
- In a load-balanced farm, InProc sessions need sticky session affinity configured at the load balancer, or user data appears to vanish.
- Session access is not inherently thread-safe across concurrent requests from the same browser (e.g., simultaneous AJAX calls).
Practice what you learned
1. Which session state mode is fastest but does not survive an application pool recycle?
2. What must be true of every object stored in Session when using StateServer or SQLServer mode?
3. What does calling Session.Abandon() do?
4. Why does InProc session mode require sticky sessions in a load-balanced web farm?
5. In which mode does Session_End in Global.asax fire reliably?
Was this page helpful?
You May Also Like
Caching in Web Forms
Learn how output caching, fragment caching, and the Cache API reduce database and rendering load in Classic ASP.NET Web Forms applications.
Data Binding in Web Forms
Understand how Web Forms server controls bind to data sources, the difference between declarative and programmatic binding, and when to use Repeater, GridView, or ListView.
ADO.NET Basics
Learn how Classic ASP.NET Web Forms applications connect to and query relational databases using ADO.NET's connection, command, and disconnected DataSet objects.
Related Reading
Related Study Notes in Microsoft Technologies
Browse all study notesWindows 10 / UWP Development Study Notes
.NET · 30 topics
Microsoft TechnologiesWindows Batch Scripting Study Notes
Batch · 30 topics
Microsoft TechnologiesMFC (Microsoft Foundation Classes) Study Notes
C++ · 30 topics
Microsoft TechnologiesSilverlight Study Notes
.NET · 30 topics
Microsoft TechnologiesXAML Study Notes
.NET · 30 topics
Microsoft TechnologiesWPF (Windows Presentation Foundation) Study Notes
.NET · 30 topics