- HTTP is a stateless protocol.
- Without taking additional steps, HTTP requests are independent messages that don't retain user values or app state.
- There are several approaches to preserve user data and app state between requests in .NET Core that developers can leverage to persist state.
Session State
- Session state is a feature that you can use to save and store user data while the user browses the web app.
- Consisting of a dictionary or hash table on the server, session state persists data across requests from a browser.
- The session data is backed by a cache.
- ASP.NET maintains session state by giving the client a cookie that contains the session ID, which is sent to the server with each request.
- The server uses the session ID to fetch the session data.
- Because the session cookie is specific to the browser, you cannot share sessions across browsers.
- Session cookies are deleted only when the browser session ends.
- If a cookie is received for an expired session, a new session that uses the same session cookie is created.
- The default session provider in ASP.NET Core loads the session record from the underlying
IDistributedCache store asynchronously only if the ISession.LoadAsync method is explicitly called before the TryGetValue, Set, or Remove methods.
- If
LoadAsync isn't called first, the underlying session record is loaded synchronously, which could potentially impact the ability of the app to scale.
- To have applications enforce this pattern, wrap the
DistributedSessionStore and DistributedSession implementations with versions that throw an exception if the LoadAsync method isn't called before TryGetValue, Set, or Remove.
public void ConfigureServices(IServiceCollection services)
{
// Adds a default in-memory implementation of IDistributedCache.
services.AddDistributedMemoryCache();
services.AddSession(options =>
{
options.Cookie.Name = ".AdventureWorks.Session";
// Set a short timeout for easy testing.
options.IdleTimeout = TimeSpan.FromSeconds(10);
options.Cookie.HttpOnly = true;
});
services.AddMvc();
}
public void Configure(IApplicationBuilder app)
{
app.UseSession();
app.UseMvcWithDefaultRoute();
}
- By default, the session cookie is named "
.AspNet.Session" and it uses a path of "/".
- Because the cookie default doesn't specify a domain, it's not made available to the client-side script on the page (because CookieHttpOnly defaults to true).
- The server uses the IdleTimeout property to determine how long a session can be idle before its contents are abandoned.
- This property is independent of the cookie expiration.
- Each request that passes through the Session middleware (read from or written to) resets the timeout.
- If you try to access
Session before UseSession has been called, the exception is thrown.
- If you try to create a new
Session (that is, no session cookie has been created) after you have already begun writing to the Response stream, the exception is thrown.
- Because Session is non-locking, if two requests both attempt to modify the contents of session, the last one overrides the first.