Understanding both the scope and the lifetime of the Session collection for a given user is important when using the Session object. As mentioned above, a new session is created when a user first requests a page within an ASP.NET application for which session state is enabled (session state is enabled by default in in-process mode) and that stores a value in the Session collection. The boundary of that ASP.NET application is defined by the boundary of an IIS application. That is, the boundary of the ASP.NET session includes all ASP.NET pages within a single IIS application and all of its subfolders and virtual directories. It does not, however, include subfolders that are defined as IIS applications. Figure 19-1 illustrates the different folder types in IIS. In Figure 19-1, the SessionWrite.aspx file writes a value to the Session collection. Because the folder containing SessionWrite.aspx is a virtual directory that is a part of the Chapter_19 application folder and is not defined as its own folder, the session value written by SessionWrite.aspx will be available to any page in either the Chapter_19 folder or the SubApp subfolder. If, however, the SubApp folder is configured as an IIS Application (by accessing the Virtual Directory tab of the Properties dialog for the folder and clicking the Create button in the Application Settings section), it will then define its own session boundaries, which will not be shared with the parent Chapter_19 application.
The lifetime of an ASP.NET session is set by default to 20 minutes from the time of the last request to the application that created the session, or until the Session.Abandon method is called.
Keep this lifetime in mind for two reasons:
Any information that you store at the session level will continue to consume resources (memory, in the case of in-process or state service storage; memory and/or disk space, in the case of SQL Server state storage) for a minimum of 20 minutes (or whatever length you've set for the timeout value), and possibly longer depending on the user's activity in the application. For this reason, you should always carefully consider the potential costs associated with storing an item (particularly object instances) in the Session collection.
If code in your page relies on an item being in the Session collection, your code could break if and when the session timeout value is exceeded. For this reason, you should always check to make sure that the item exists by testing whether the item evaluates to Nothing (or null in C#) before attempting to access the item's value.
In classic ASP, a big no-no was storing non-thread-safe COM objects (i.e., any COM object written in Visual Basic) in the Session collection. This was because such components would force IIS to process requests only to the Session that stored the COM object from the same thread that created the object, which could limit scalability substantially. In ASP.NET, this is less of an issue, since all managed .NET components can be stored safely in the Session collection without the threading model impacting scalability. The concerns about resource usage and scalability still apply, however, so before storing objects in the Session collection, carefully consider just how much memory will probably be consumed by multiple serialized instances of the object being stored by multiple sessions.
The difference between objects added to the Session collection and objects created with Session scope using the <object> tag in global.asax is also important. While objects added to the Session collection can be removed by using the Remove, RemoveAll, or Clear methods, objects in the StaticObjects collection (those created in global.asax) are not affected by any of these methods.
In addition to properties and methods provided for backward compatibility with classic ASP, the ASP.NET version of the Session object also adds useful new properties and methods, including the Count, IsCookieless, IsNewSession, and IsReadOnly properties, and the Clear, CopyTo, and RemoveAt methods. The Count and CopyTo members are derived from the ICollection interface, which is implemented by the HttpSessionState class.
In this chapter, we'll use the following code listing as the basis for most examples in the chapter. Unless otherwise noted, each example will consist of the Page_Load event handler for that particular example. Any displayed output messages or return values will be shown as the Text property of the ASP.NET Label named Message or by calling Response.Write.
<%@ Page Language="vb" %> <html> <head> <script runat="server"> Sub Page_Load( ) 'Example code will go here End Sub </script> </head> <body> <asp:label id="Message" runat="server"/> </body> </html>