Pros and Cons of using ASP.NET Session State Server (instead of InProc)?

asp.net session stateserver session-state
39,554

Solution 1

Here's the canonical analysis of the pros and cons of your three options, from Rob Howard's ASP.NET Session State article:

  • In process. In process will perform best because the session state memory is kept within the ASP.NET process. For Web applications hosted on a single server, applications in which the user is guaranteed to be re-directed to the correct server, or when session state data is not critical (in the sense that it can be re-constructed or re-populated), this is the mode to choose.

  • Out of process. This mode is best used when performance is important but you can't guarantee which server a user will request an application from. With out-of-process mode, you get the performance of reading from memory and the reliability of a separate process that manages the state for all servers.

  • SQL Server. This mode is best used when the reliability of the data is fundamental to the stability of the application, as the database can be clustered for failure scenarios. The performance isn't as fast as out of process, but the tradeoff is the higher level of reliability.

The out-of-process (aka "StateServer") and SQL-Server options both survive web application restarts (including application pool cycling) and both make session data available to multiple servers in a cluster / farm.

Finally, it may go without saying, but the basic in-process setup is the easiest to configure, which is a meaningful "pro" in many environments.

Tim Sneath's ASP.NET Session State: Architectural and Performance Considerations adds some additional information, and the MSDN topic on Session State Modes is a reliable, up-to-date source.

Solution 2

State Server is a great(!) choice to get started with. Why? Because it means that your application is now compatible with any out-of-process storage modes.

If you currently develop your site with InProc and wanted to move into StateServer or SqlServer at a later time, you can have issues with serialization. Not always, but it is does happen.

Some examples include (some already mentioned):

  • Ops start scheduling regular IIS application pool recycles without your knowledge
  • Memory is running low on a regular basis
  • You will be working with a load balancer on production and cannot guarantee the same website will receive the same request.

Therefore, its best to get this sorted out sooner rather than later. Its only a config change and a service start; Boom!

What is also means, is if you decide to go down a completely different route of session storage, such as using Redis (Distributed Key/Value Store) or RavenDB (Document Database), you are already sorted.

Its really is a good investment of 1 minute's work. You are now ready for web farms, load balancers and any other session management systems that you decide to prototype against.

Solution 3

I'd say one of the big disadvantages of using In_Proc is that session state can be lost if the app pool or domain is recycled. This can happen any time, for instance if the server is low on memory etc. I personally never rely on In_Proc session for anything you don't want to lose. I've spent hours debugging sites with sporadic problems only to find it was because session state was being lost due to a server that was low on resources recycling (and, of course, the more you store in session the lower the more server resources you use up. Remember, if it can go wrong then it probably will go wrong at some point!

That's why I now normally use State Server for anything but trivial session data. The only real disadvantage I've found is you need to mark classes as serializable, but this is usually trivial. It's also a bit slower, too, but that is negligible in most cases.

There's a good article about this on the IIS MSDN blog.

Solution 4

Advantages:
1. You can access the same session state across machines.
2. Same session state is available after reloading the app_pool.

Disadvantages:
1. Slower than in process mode.
2. All objects in the session state have to be serializable.

Solution 5

Disadvantages of Sessions in ASP.NET

  • Every variable is stored as Object. That means you need to convert Object to certain type when read session variable.

  • In addition to this, if session is empty, Object will be null. Before reading session variable, you need to check it for null. Even if variable is initialized before, it could be null because session is expired. An attempt to use null session value could return an exception. If value of session variable is null, common practice is to use some default value instead of meaningless null. If value is not null, you must convert it to appropriate type because all session variables are type of object. When do all this things, you should pay attention to avoid hard coding. More about reading and writing of session variables on scalable and maintainable way you can read in How To Write, Read and Delete Session State Variables tutorial.

  • Variable name is type of string. If you hard code name of the variable, there is an option to make type mistake somewhere. The problem is, if you try to read session variable that doesn't exist, ASP.NET will not return any exception or warning. It will simply create new variable with wrong name which has null value. These types of errors could be hard to find.

  • Session data should not be used for storing of sensitive data. There is a possibility that malicious user obtain regular visitor's session id. If session state is used to store information like: "allow access to administration area or not" or something like that, attacker could see website's sensitive data, other's private data, edit database, delete content etc.

  • If InProc mode is used, sessions easily exhaust all server resources and thus decrease website performances.

StateServer

SQL Server is most reliable of all modes. Session data are intact if ASP.NET restarts, but also if SQL Server restarts.

SQL Server is also most scalable option.

SQL Server is often available in shared hosting scenario

Custom mode

You have complete control over sessions. It is possible to create even custom session id.

You can support different data sources. That could be useful to store session data on other database, like Oracle, MySQL, MS Access etc.

for any other details you can click here to view ASP.NET Session state advantages. hope my answer helped you.! :)

Share:
39,554

Related videos on Youtube

John K
Author by

John K

Defining quotes: "The present letter is a very long one, simply because I had no leisure to make it shorter." — Blaise Pascal "The early bird gets the worm, but the second mouse gets the cheese." —Steven Wright "And yet what are we to do about this terribly significant business of other people." — Philip Roth

Updated on July 09, 2022

Comments

  • John K
    John K almost 2 years

    Before I start using Session State server for the benefit of making session state more robust in my apps compared to InProc state, I'd like to find a list of Pros and Cons for evaluation.

    Update 1: Also about surviving application pool recycles?

    Update 2: What about longevity of sessions and their endings?

    • Tom Cabanski
      Tom Cabanski about 14 years
      Perhaps this should be marked as a community wiki.
    • CMircea
      CMircea about 14 years
      @Tom: what's up with everyone asking for community wiki? This isn't "what's your favorite cartoon?", it's a valid question.
    • John K
      John K about 14 years
      People often get mixed up between a question that has one vs many correct answers (wiki not needed), and a question that is subjective (destined for wiki). My question here is the former kind.
    • Jeff Sternal
      Jeff Sternal about 14 years
      I updated my answer to try to address your Update 1, but don't really understand what you're asking about the longevity of sessions and their endings.
  • Paul Marcelin Bejan
    Paul Marcelin Bejan about 10 years
    How slower? Slower because of network latency or something else?
  • kemiller2002
    kemiller2002 about 10 years
    Pretty much yeah. With in process, its using the memory used by IIS. It doesn't have to serialize, push the data to another application etc. This is all relative too. As long as your state server and your application server aren't in different states, the slowdown isn't going to really be noticeable.
  • Saineshwar Bageri - MVP
    Saineshwar Bageri - MVP almost 6 years
    do we require serialize all object before storing in session if we use Redis as sessionState Provider?
  • Dominic Zukiewicz
    Dominic Zukiewicz almost 6 years
    @Saineshwar: I believe so. Without serialization, .NET does not know what format to read/write to (by default).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot access session asp.net core
How to use session management with Load Balancer in Asp.Net
How to clear SQL session state for all users in ASP.NET
Session state can only be used when enableSessionState is set to true
How to prevent session timeout
asp.net session state mode "SQLServer"
SQLServer vs StateServer for ASP.NET Session State Performance
List all active ASP.NET Sessions
ASP.NET: How to access Session from handler?
In ASP.NET, when should I use Session.Clear() rather than Session.Abandon()?