Precautions while using StateServer and SQLServer Mode in ASP.NET State Management

Precautions while using StateServer and SQLServer Mode in ASP.NET State Management       

                                                         

In this article on session state management in asp.net, we will discuss precautions which should be taken care while using StateSever mode and SQLServer mode. As in these types of session state management, the session is stored outside your machine, you need to take care of following things:
                                                                                                              
1. To use StateServer mode, you must first be sure the ASP.NET state service is running on the server used for the session store. The ASP.NET state service is installed as a service when ASP.NET and the .NET Framework are installed. The ASP.Net state service is installed at the following location:

systemroot\Microsoft.NET\Framework\versionNumber\aspnet_state.exe

2. To improve the security of your application when using StateServer mode, it is recommended that you protect your stateConnectionString value by encrypting the sessionState section of your configuration file.

3. Set the stateConnectionString attribute to tcpip=serverName:42424.

4. By default, stateConnectionString used the IP 127.0.0.1 (localhost) and port 42424. But we can change the port from the Registry editor.

The StateServer may be the current system or a different system. But it will be totally independent of IIS. The destination of the StateServer will depend on the web.config stateConnectionString setting. If we set it to 127.0.0.1:42424, it will store data in the local system itself. For changing the StateServer destination, we need to change the IP, and make sure aspnet_state.exe is up and running on that system.

5. Objects stored in session state must be serializable if the mode is set to StateServer.

6. To use StateServer mode in a Web farm, you must have the same encryption keys specified in the machineKey element of your Web configuration for all applications that are part of the Web farm.

7. To use SQLServer mode, you must first be sure the ASP.NET session state database is installed on SQL Server. You can install the ASP.NET session state database using the Aspnet_regsql.exe tool.

8. To improve the security of your application when using SQLServer mode, it is recommended that you protect your sqlConnectionString value by encrypting the sessionState section of your configuration file.

9. To configure SQLServer mode for a Web farm, in the configuration file for each Web server, set the sessionState element's sqlConnectionString attribute to point to the same SQL Server database. The path for the ASP.NET application in the IIS metabase must be identical on all Web servers that share session state in the SQL Server database.

10. Session ID is 120 bit long.

11.  Advantages and Disadvantages of StateServer

Based on the above discussion:

Advantages:

A) It keeps data separate from IIS so any issues with IIS will not hamper session data.
B) It is useful in web farm and web garden scenarios.

Disadvantages:

A) Process is slow due to serialization and de-serialization.
B) State Server always needs to be up and running.

Disadvantages of InProc:

A) Performance overhead in case of large volumes of data/user, because session data is stored in server memory.

B) Overhead involved in serializing and de-serializing session data, because in the case of StateServer and SQLServer session modes, we need to serialize the objects before storing them.