The System.Web.SessionState namespace provides the types used for session state management, which stores information that is specific to one session or client. Each user accessing an ASP.NET application has a separate session state collection. Session state is ideal for sensitive data (like credit card numbers and mailing addresses) because it is stored exclusively on the server. It is also well suited for complex data or custom .NET objects that cannot be easily serialized to a client-side cookie.
To support session state, each active ASP.NET session is identified and tracked with a unique 120-bit session ID string. Session ID values are created and managed automatically by the ASP.NET framework by using an algorithm that guarantees uniqueness and randomness so that they can't be regenerated by a malicious user. When a client requests an ASP.NET page, the appropriate ID is transmitted from the client by a cookie or a modified ("munged") URL. ASP.NET worker processes then retrieve the serialized data from the state server as a binary stream, convert it into live objects, and place these objects into the HttpSessionState class's key/value collection. This class is the core of the System.Web.SessionState namespace. Most other classes in this namespace are used transparently by the ASP.NET framework, except the IReadOnlySessionState and IRequiresSessionState interfaces, which allow custom System.Web.IHttpHandler instances to access session data.
Session state is typically removed if no requests are received within a specified timeframe (typically about 20 minutes). This is the main trade-off of session state storage: you must choose a timeframe short enough to allow valuable memory to be reclaimed on the server, but long enough to allow a user to continue a session after a short delay.
Note that most session state settings, including the method session ID transmission, the type of storage, and the timeout, are all configured through the <sessionstate> section of the web.config file. Figure 35-1 shows the types in this namespace.