HttpSessionState Class
Provides access to session-state values as well as session-level settings and lifetime management methods.
public sealed class HttpSessionState : System.Collections.ICollection
Remarks
ASP.NET provides session-state management to enable you to store information associated with a unique browser session across multiple requests. You can store a collection of values referenced by a key name or by numerical index. Access to session values and functionality is available using the HttpSessionState class, which is accessible through the Session property of the current HttpContext, or the Session property of the Page.
Session data is associated with a specific browser session using a unique identifier. By default, this identifier is stored in a non-expiring session cookie in the browser, but you can also configure your application to store the session identifier in the URL by setting the cookieless
attribute to true
or UseUri in the sessionState element of your application configuration. You can have ASP.NET determine whether cookies are supported by the browser by specifying a value of UseDeviceProfile for the cookieless
attribute. You can also have ASP.NET determine whether cookies are enabled for the browser by specifying a value of AutoDetect for the cookieless
attribute. If cookies are supported when UseDeviceProfile is specified, or enabled when AutoDetect is specified, then the session identifier will be stored in a cookie; otherwise the session identifier will be stored in the URL.
Sessions are started during the first request and session values will persist as long as a new request is made by the browser before the number of minutes specified in the Timeout property pass. When a new session begins, the session Start event is raised. You can use this event to perform any additional work at the start of a session, such as setting default session values. When a session times out, the Abandon method is called, or the ASP.NET application is shut down, the session End event is raised. You can use this event to perform any necessary cleanup. The End event is raised only when the session state mode
is set to InProc.
To improve performance, sessions that use cookies do not allocate session storage until data is actually stored in the Session object. For more information, see the SessionID property.
Session state does not persist across ASP.NET application boundaries. If a browser navigates to another application, the session information is not available to the new application.
Session values are stored in memory on the Web server, by default. You can also store session values in a SQL Server database, an ASP.NET state server, or a custom server. This enables you to preserve session values in cases where the ASP.NET or IIS process or the ASP.NET application restarts and to make session values available across all the servers in a Web farm. This behavior is configured by setting the mode
attribute to a valid SessionStateMode value in the sessionState element of your application configuration. For more information, see Session-State Modes.
Alternatives to session state include application state (see the Application property) and the ASP.NET cache (see the System.Web.Caching namespace), which store variables that can be accessed by all users of an ASP.NET application; the ASP.NET profile (see the System.Web.Profile namespace), which persists user values in a data store without expiring them using a time-out; ASP.NET System.Web.UI.WebControls, which persist control values in the ViewState; Cookies; the QueryString property; and fields on an HTML form that are available from an HTTP POST
using the Form collection. For more details on the differences between session state and other state-management alternatives, see ASP.NET State Management Recommendations.
HttpSessionState.SessionID Property
Gets the unique identifier for the session.
public string SessionID { get; }
Remarks
The SessionID property is used to uniquely identify a browser with session data on the server. The SessionID value is randomly generated by ASP.NET and stored in a non-expiring session cookie in the browser. The SessionID value is then sent in a cookie with each request to the ASP.NET application.
If you want to disable the use of cookies in your ASP.NET application and still make use of session state, you can configure your application to store the session identifier in the URL instead of a cookie by setting the cookieless
attribute of the sessionState configuration element to true
, or to UseUri, in the Web.config file for your application. You can have ASP.NET determine whether cookies are supported by the browser by specifying a value of UseDeviceProfile for the cookieless
attribute. You can also have ASP.NET determine whether cookies are enabled for the browser by specifying a value of AutoDetect for the cookieless
attribute. If cookies are supported when UseDeviceProfile is specified, or enabled when AutoDetect is specified, then the session identifier will be stored in a cookie; otherwise the session identifier will be stored in the URL. For more information, see the IsCookieless property.
The SessionID is sent between the server and the browser in clear text, either in a cookie or in the URL. As a result, an unwanted source could gain access to the session of another user by obtaining the SessionID value and including it in requests to the server. If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID.
When using cookie-based session state, ASP.NET does not allocate storage for session data until the Session object is used. As a result, a new session ID is generated for each page request until the session object is accessed. If your application requires a static session ID for the entire session, you can either implement the Session_Start
method in the application's Global.asax file and store data in the Session object to fix the session ID, or you can use code in another part of your application to explicitly store data in the Session object.
If your application uses cookieless session state, the session ID is generated on the first page view and is maintained for the entire session.
SessionStateSection.CookieName Property
- Namespace:
- System.Web.Configuration
配置文件专用的
[System.Configuration.ConfigurationProperty("cookieName", DefaultValue=Mono.Cecil.CustomAttributeArgument)]
public string CookieName { get; set; }
The following code example demonstrates how to get the CookieName property. Refer to the code example in the SessionStateSection class topic to learn how to get the section.
// Display the current CookieName property value.
Console.WriteLine("CookieName: {0}",
sessionStateSection.CookieName);
The default value is "ASP.NET_SessionId"
.
FormsAuthentication.FormsCookieName Property
- Namespace:
- System.Web.Security
Gets the name of the cookie used to store the forms-authentication ticket.
public static string FormsCookieName { get; }
The following code example sets the FormsCookieName property value by using the name
attribute in the Web.config file.
<authentication mode="Forms">
<forms loginUrl="member_login.aspx"
cookieless="UseCookies"
name=".ASPXFORMSAUTH" />
</authentication>
Remarks
The FormsCookieName property value is set in the configuration file for an ASP.NET application by using the name
attribute of the forms configuration element.
The FormsCookieName is used to reference the cookie that stores the FormsAuthenticationTicket information.