ASP.NET session state reads and writes session data from and to a data store using a session-state store provider. A session-state store provider is a class that inherits the System.Web.SessionState.SessionStateStoreProviderBase abstract class and overrides its members with implementations specific to the data store. The session-state store provider is called by the System.Web.SessionState.SessionStateModule class during the processing of an ASP.NET page to communicate with the data store for the storage and retrieval of session variables and related session information such as the time-out value.

Session data within each ASP.NET application is stored separately for each HttpSessionState.SessionID property. ASP.NET applications do not share session data.

You can specify a custom System.Web.SessionState.SessionStateStoreProviderBase implementation for an ASP.NET application by setting the mode attribute of the sessionState configuration element to SessionStateMode.Custom and the customProvider attribute to the name of the custom provider, as shown in the example for this topic.

Locking Session Store Data

Because ASP.NET applications are multithreaded to support responding to concurrent requests, it is possible that concurrent requests might attempt to access the same session information. Consider a scenario where multiple frames in a frameset all access the same application. The separate requests for each frame in the frameset can be executed on the Web server concurrently on different threads. If the ASP.NET pages for each frame source access session-state variables, then you could have multiple threads accessing the session store concurrently.

To avoid data collisions at the session store and unexpected session-state behavior, the System.Web.SessionState.SessionStateModule and System.Web.SessionState.SessionStateStoreProviderBase classes include lock functionality that exclusively locks the session store item for a particular session for the duration of the execution of an ASP.NET page. Note that even if the System.Web.Configuration.PagesSection.EnableSessionState attribute is marked as ReadOnly, other ASP.NET pages in the same application might be able to write to the session store, so a request for read-only session data from the store might still end up waiting for locked data to be freed.

A lock is set on session-store data at the beginning of the request, in the call to the SessionStateStoreProviderBase.GetItemExclusive(System.Web.HttpContext, string, Boolean@, TimeSpan@, Object@, SessionStateActions@) method. When the request completes, the lock is released during the call to the SessionStateStoreProviderBase.SetAndReleaseItemExclusive(System.Web.HttpContext, string, SessionStateStoreData, object, bool) method.

If the System.Web.SessionState.SessionStateModule object encounters locked session data during the call to either the SessionStateStoreProviderBase.GetItemExclusive(System.Web.HttpContext, string, Boolean@, TimeSpan@, Object@, SessionStateActions@) or the SessionStateStoreProviderBase.GetItem(System.Web.HttpContext, string, Boolean@, TimeSpan@, Object@, SessionStateActions@) method, it will re-request the session data at half-second intervals until either the lock is released or the amount of time that the session data has been locked exceeds the value of the System.Web.Configuration.HttpRuntimeSection.ExecutionTimeout property. If the execution time out is exceeded, the System.Web.SessionState.SessionStateModule object will call the SessionStateStoreProviderBase.ReleaseItemExclusive(System.Web.HttpContext, string, object) method to free the session-store data and request the session-store data at that time.

Because locked session-store data might have been freed by a call to the SessionStateStoreProviderBase.ReleaseItemExclusive(System.Web.HttpContext, string, object) method on a separate thread before the call to the SessionStateStoreProviderBase.SetAndReleaseItemExclusive(System.Web.HttpContext, string, SessionStateStoreData, object, bool) method for the current response, an attempt could be made to set and release session-state store data that has already been released and modified by another session. To avoid this situation, the SessionStateStoreProviderBase.GetItem(System.Web.HttpContext, string, Boolean@, TimeSpan@, Object@, SessionStateActions@) and SessionStateStoreProviderBase.GetItemExclusive(System.Web.HttpContext, string, Boolean@, TimeSpan@, Object@, SessionStateActions@) methods return a lock identifier. This lock identifier must be included with each request to modify locked session-store data. Session-store data is modified only if the lock identifier in the data store matches the lock identifier supplied by the System.Web.SessionState.SessionStateModule.

Deleting Expired Session Store Data

When the HttpSessionState.Abandon method is called for a particular session, the data for that session is deleted from the data store using the SessionStateStoreProviderBase.RemoveItem(System.Web.HttpContext, string, object, SessionStateStoreData) method; otherwise, the data will remain in the session data store to server future requests for the session. It is up to the System.Web.SessionState.SessionStateStoreProviderBase implementation to delete expired session data.

Namespace: System.Web.SessionState
Assembly: System.Web (in System.Web.dll)
Assembly Versions: 2.0.0.0