- CookieMode—Enables you to specify whether cookieless sessions are enabled. Possible values are AutoDetect, UseCookies, UseDeviceProfile, and UseUri.
- Count—Enables you to retrieve the number of items in Session state.
- IsCookieless—Enables you to determine whether cookieless sessions are enabled.
- IsNewSession—Enables you to determine whether a new user session was created with the current request.
- IsReadOnly—Enables you to determine whether the Session state is read-only.
- Keys—Enables you to retrieve a list of item names stored in Session state.
- Mode—Enables you to determine the current Session state store provider. Possible values are Custom, InProc, Off, SqlServer, and StateServer.
- SessionID—Enables you to retrieve the unique session identifier.
- Timeout—Enables you to specify the amount of time in minutes before the web server assumes that the user has left and discards the session. The maximum value is 525,600 (1 year).
The HttpSessionState object also supports the following methods:
- Abandon—Enables you to end a user session.
- Clear—Enables you to clear all items from Session state.
- Remove—Enables you to remove a particular item from Session state.
Here are the things to note when using session:
- Unlike cookies, Session state has no size limitations. You could store gigabytes of data in Session state.
- When you use Session state, a session cookie named ASP.NET_SessionId is added to your browser automatically. This cookie contains a unique identifier. It is used to associate the correct data with the correct user.
- The main application programming interface for working with Session state is theHttpSessionState class.
- The Abandon() method enables you to end a user session programmatically. For example, you might want to end a user session automatically when a user logs out from your applicationto clear away all of a user's session state information.
Handling Session Events:
- There are two events related to Session state that you can handle in the Global.asax file: the Session Start and Session End events.
- The Session End event is not raised by all session store providers. The event is raised by the InProc session store provider (the default provider), but it is not raised by the StateServer or SQLServer state providers.
Controlling When a Session Times Out:
- By default, session will time out in 20 mins, you can verify this by examining the IIS settings. The disadvantage of increasing the Session timeout is that more memory is consumed by your application. The longer the Session timeout, the more server memory is potentially consumed. You can specify the Session timeout in the web configuration file or you can set the Session timeout programmatically.
Using Cookieless Session State:
- If you want Session state to work even when cookies are disabled, then you can take advantage of cookieless sessions. When cookieless sessions are enabled, a user's session ID is added to the page URL.
- You enable cookieless sessions by modifying the sessionState element in the web configuration file. The sessionState element includes a cookieless attribute that accepts the following values:
- AutoDetect—The Session ID is stored in a cookie when a browser has cookies enabled. Otherwise, the cookie is added to the URL.
- UseCookies—The Session ID is always stored in a cookie (the default value).
- UseDeviceProfile—The Session ID is stored in a cookie when a browser supports cookies. Otherwise, the cookie is added to the URL.
- UseUri—The Session ID is always added to the URL.
- When you enable cookieless session state, you should also enable this attribute regenerateExpiredSessionId="true", because it can help prevent users from inadvertently sharing session state.