Interview Questions : State Management

Interview Questions Part 5 - ASP.NET , Session , Caching

Question 1 :
How to make SQLServer session mode work ?

Answer 1 :
Please do below steps to make SQLServer session mode to work properly :

1. To use SQLServer mode, you must first be sure the ASP.NET session state database is installed on SQL Server. You can install the ASP.NET session state database using the Aspnet_regsql.exe tool.

2. To configure an ASP.NET application to use SQLServer mode, do the following in the application's Web.config file:

•Set the mode attribute of the sessionState element to SQLServer.
•Set the sqlConnectionString attribute to a connection string for your SQL Server database.

Question 2 :
What is SQL Server session mode in ASP.NET ?

Answer 2 :
SQLServer mode stores session state in a SQL Server database. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.

Question 3 :
How to make State server session mode work ?

Answer 3 :
Please do the below to make State Server session mode work :

1. To use StateServer mode, you must first be sure the ASP.NET state service is running on the server used for the session store. The ASP.NET state service is installed as a service when ASP.NET and the .NET Framework are installed. The ASP.Net state service is installed at the following location:
systemroot\Microsoft.NET\Framework\versionNumber\aspnet_state.exe

2. To configure an ASP.NET application to use StateServer mode, in the application's Web.config file do the following:
•Set the mode attribute of the sessionState element to StateServer.
•Set the stateConnectionString attribute to tcpip=serverName:42424.

3. To use StateServer mode in a Web farm, you must have the same encryption keys specified in the machineKey element of your Web configuration for all applications that are part of the Web farm.

What is StateServer Session mode in ASP.NETIn StateServer mode, session is stored on seperate computer . It stores session state in a separate process called the ASP.NET state service. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm. This does not support Session_End event in global.asax

Question 4 :
What are different modes of storing ASP.NET Sessions ?

Answer 4 :

The different modes ASP.NET sessions are :

1. InProc
2. StateServer
3. SqlServer

Question 5 :
How to make Output Cache maintain seperate cahce entries for each browser ?

Answer 5 :
This is done using below directive :
VaryByCustom="browser"
<%@ OutputCache Duration="60" VaryByParam="None" VaryByCustom="browser" %>

Question 6 :
What are different types of caching ?

Answer 6 :
Types of caching are :

1. Page Output Caching
2. Page Fragment Caching
3. Data Caching

Question 7 :
Specify various options for Location attribute in OutputCache directive ?

Answer 7 :
If locaction attribute is specified, must be one of: Any, Client, Downstream, None, Server or ServerAndClient.

Question 8 :
Explain VaryByParam attribute in Output Cache ?

Answer 8 :
VaryByParam attribute is a required attribute in OutputCache directive. The names of the variables in the Request, which should result in, separate cache entries. "none" can be used to specify no variation. "*" can be used to create new cache entries for every different set of variables. Separate variables with ";".

Question 9 :
What is Cache Callback ?

Answer 9 :
Cache Callback provides an ability where by some actions can be performed when that item is removed from cache
CacheItemRemovedCallback example

System.Web.Caching.CacheItemRemovedCallback callback = new System.Web.Caching.CacheItemRemovedCallback (OnRemove);
Cache.Insert("key",myFile,null,
System.Web.Caching.Cache.NoAbsoluteExpiration,
TimeSpan.Zero,
System.Web.Caching.CacheItemPriority.Default, callback);
. . .

public static void OnRemove(string key,
object cacheItem,
System.Web.Caching.CacheItemRemovedReason reason)
{
AppendLog("The cached value with key '" + key +
"' was removed from the cache. Reason: " +
reason.ToString());
}

Question 10:
What are different types of cache dependencies ?

Answer 10:
Different type cache dependencies are :
File dependency
Time Based Expiration
Key dependency

Again in another website:

What is a Session?
A Session is a unique instance of the browser. A single user can have multiple instances of the browser running on his or her machine. If each instance visits your Web application, each instance has a unique session.A session starts when a user accesses a page on a Web site for the first time, at which time they are assigned a unique session ID. The server stores the user's session ID in the Session.SessionID property.

What is the default session timeout period?
20 minutes.

Where do you generally specify the Session Timeout?
You specify the Session Timeout setting in the web.config file.

Can you specify Session Timeout in a code behind file?
Yes, can specify the Session.Timeout property as shown below in a code behind file.
Session.Timeout = 10;

How do you end a user session?
You can call the Session.Abandon() method to end a user session. If a user then tries to access a page the server will assign them a new session ID and it will clear all the previous session variables. You'll typically use Session.Abandon() on log-out pages.

What type of data can you store in Application State and Session State variables?
Application State and Session State variables are used to store data that you want to keep for the lifetime of an application or for the lifetime of a session. You can store any type of data in the Application or Session state, including objects.

Are Application State or Session State variables type safe?
No, Application and Session state variables are created on the fly, without variable name or type checking.

Do maintaining Session state affects performance?
Yes

Can you turn of Session state?
Yes, Session state can be turned off at the application and page levels.

Are Application state variables available throughout the current process?
Yes, Application state variables are available throughout the current process, but not across processes. If an application is scaled to run on multiple servers or on multiple processors within a server, each process has its own Application state.

How do you disable Session state for a Web form?
To turn Session state off for a Web form set EnableSessionState property of the Page to False.

How do you turn Session state off for an entire web application?
In the Web.config file, set the sessionstate tag to False.

What are Application State variables?
Application State variables are global variables that are available from anywhere in the application. All Sessions can access Application State variables.

How to add and remove data to Application State Variables?
//Code to add data to Application State
Application.Add("AppName", "Sample");

//Code to remove data from Application State
Application.Remove("AppName");

How do you remove all Application State Variables data?
//Code to remove all Application State Variables data
Application.RemoveAll();

ASP.NET 3.5  Questions & Answers :

1. Explain the life cycle of an ASP .NET page.?
Following are the events occur during ASP.NET Page Life Cycle:

1)Page_PreInit
2)Page_Init
3)Page_InitComplete
4)Page_PreLoad
5)Page_Load
6)Control Events
7)Page_LoadComplete
8)Page_PreRender
9)SaveViewState
10)Page_Render
11)Page_Unload

Among above events Page_Render is the only event which is raised by page. So we can't write code for this event.

Stage
Description
Page request
The page request occurs before the page life cycle begins. When the page is requested by a user, ASP.NET determines whether the page needs to be parsed and compiled (therefore beginning the life of a page), or whether a cached version of the page can be sent in response without running the page.
Start
In the start stage, page properties such as Request and Response are set. At this stage, the page also determines whether the request is a postback or a new request and sets the IsPostBack property. The page also sets the UICulture property.

Initialization
During page initialization, controls on the page are available and each control's UniqueID property is set. A master page and themes are also applied to the page if applicable. If the current request is a postback, the postback data has not yet been loaded and control property values have not been restored to the values from view state.
Load
During load, if the current request is a postback, control properties are loaded with information recovered from view state and control state.
Postback event handling
If the request is a postback, control event handlers are called. After that, the Validate method of all validator controls is called, which sets the IsValid property of individual validator controls and of the page.
Rendering
Before rendering, view state is saved for the page and all controls. During the rendering stage, the page calls the Render method for each control, providing a text writer that writes its output to the OutputStream object of the page's Response property.
Unload
The Unload event is raised after the page has been fully rendered, sent to the client, and is ready to be discarded. At this point, page properties such as Response and Request are unloaded and cleanup is performed.

2. how does the cookies work in asp.net?
we know Http is an state-less protocol which is required for interaction between clinet and server .

so there is an need to remeber state of request raised by an web browser so that
web server can recognize you have already previously visited or not.

There are two types of state management techniques:
a) Client side state management
b) Server - side statemanagement

Using cookies comes under clinet side statemanagement .In HttpResponse we write
Cookie containing sessionId and other information within it.

when a browser made a request to the web server the same cookie is sent to the server where server recognize the session id and get other information stored to it previously.

3. What is Ispostback method in ASP.Net? Why do we use that??
Basically Post back is an action performed by a interactive Webpage. When it goes to the server side for a non-client Operation Server again posts it back to the client and hence the name.
Ex:

if(!IsPostBack)

will not allow the page to post back again n again bcoz it reduces the performance.

4. Can User Control be stored in library?.
I will say "NO"

there are 3 types of controls:
1) User Control
2) Custom Control
3) Web parts

you can reuse User control in the current project in which you have built it, but you can't move it to other project as unless you just copy paste the same file there and make the changes for that project ( which violets the concept of library).

but custom control can be shared between projects. and you can precompile them even as a dll, so this means you can use them in library of any type.

5. what is the difference between application state and caching?
Application Object and Cached Object both falls under Server side State Management.

Application object resides in InProc i.e. on the same server where we hosted our application.
Cache Object resides on server side/ DownStream/Client Side.

Application Object will be disposed once application will stop.
Cache Object can be disposed using Time based cache dependency.

Only one user can access Application Object at a time hence we have to lock it every time we modify it.

6. what is boxing and unboxing?
Boxing is what happens when a value-type object is assigned to a reference-type variable.
Unboxing is what happens when a reference-type variable is assigned to a value-type variable.

7. What are the uses of Reflection??
Reflection is a concept using which we can

1) Load assemblies dynamically
2) Invoke methods at runtime
3) Retriving type information at runtime.

8. What is the use of AutoWireup in asp.net?
AutoEventWireup attribute is used to set whether the events needs to be automatically generated or not.
In the case where AutoEventWireup attribute is set to false (by default) event handlers are automatically required for Page_Load or Page_Init. However when we set the value of the AutoEventWireup attribute to true the ASP.NET runtime does not require events to specify event handlers like Page_Load or Page_Init.

9. what events will occur when a page is loaded?
Below are the events occures during page load.

1) Page_PreInit
2) Page_Init
3) Page_InitComplete
4) Page_PreLoad

10. Where is the View state Data stored?
ViewState data is stored in the hidden field. When the page is submitted to the server the data is sent to the server in the form of hidden fields for each control. If th viewstate of the control is enable true the value is retained on the post back to the client when the page is post backed.

11. What is the difference between custom web user control and a custom web server control?
Web User Control:
1) Easy to Create.
2) It Can be used inside the same Application.(To use it in other application we need to add it to that project.)
3) It Can take advantage of Caching Technique.

Web Server Control:
1) Bit tuff to create as compare to User Control.
2) Easy to use.
3) Can be added to ToolBox.

12. Where do the Cookie State and Session State information be stored?
Cookie Information will be stored in a txt file on client system under a
folder named Cookies. Search for it in your system you will find it.
Coming to Session State

As we know for every process some default space will be allocated by OS.
In case of InProc Session Info will be stored inside the process where our
application is running.
In case of StateServer Session Info will be stored using ASP.NET State Service.
In case of SQLServer Session info will be stored inside Database. Default DB
which will be created after running InstallSQLState Script is ASPState.
13. What is the difference between adding reference in solution Explorer and adding references by USING ?
Adding reference in solution explorer is used to add the DLL for that project for reference only. If you want to utilize that DLL methods/functions in our aspx.cs/.cs file etc you must write using that nameclass library name in file.

14. What are the different types of sessions in ASP.Net? Name them.?
Session Management can be achieved in two ways

1)InProc
2)OutProc

OutProc is again two types
1)State Server
2)SQL Server

InProc
Adv.:
1) Faster as session resides in the same process as the application
2) No need to serialize the data
DisAdv.:
1) Will degrade the performance of the application if large chunk of data is stored
2) On restart of IIS all the Session info will be lost
State Server
Adv.:
1) Faster then SQL Server session management
2) Safer then InProc. As IIS restart
won't effect the session data
DisAdv.:
1) Data need to be serialized
2) On restart of ASP.NET State Service session info will be lost
3)Slower as compared to InProc
SQL Server
Adv.:
1) Reliable and Durable
2) IIS and ASP.NET State Service
restart won't effect the session data
3) Good place for storing large chunk of data
DisAdv.:
1) Data need to be serialized
2) Slower as compare to InProc and State Server
3)Need to purchase Licensed
version of SQL Serve
15. How do you design a website with multilingual support in ASP.NET?
Multilingual website can be created using Globalization and Localization.
Using Globalization we change the Currency Date Numbers etc to Language Specific Format.
To change the string which is there in the label button etc to language specific string we use Localization.
In Localization we have to create different Resource files for different languages.
During this process we use some classes present in System.Resources System.Globalization System.Threading namespaces.
16. What is caching? What are different ways of caching in ASP.NET?
Caching is a technique of persisting the data in memory for immediate access to requesting program calls. This is considered as the best way to enhance the performance of the application.

Caching is of 3 types:
Output Caching - Caches the whole page.
Fragment Caching - Caches a part of the page
Data Caching - Caches the data

17. What is meant by 3-tier architecture.
We generally split our application into 3-Layers
1)Presentation Layer ( Where we keep all web forms Master Pages and User Controls).
2)Business Layer (Where we keep business logic). e.g Code related to manipulating data Custom Exception classes Custom Control classes Login related code if any etc. etc.
3)Data Access Layer (Where we keep code used to interact with DB). e.g. We can have the methods which are using SQL Helper (Application Block).
18. Explain the basic functionality of garbage collector?
Garbage Collector in .Net Framework is used for Automatic Memory Management i.e. it is collect all unused memory area and give to application. system.gc.collect() is a method for release the memory. But remember one think it is only an request i.e. we can't explicitly release the memory by using system.gc.collect().
19. What is the difference between mechine.config and web.config?
machine.config is a system level configuration i.e it is applied on all application in o/s that the configuration is set where as in web.config it is applicable to only one application i.e each asp.net webapplication will contain atleast on web.config file.
20. How can exception be handled with out the use of try catch?
using Exception Management application block
or
Page_error
Application_error objects
21. What is the difference between Response.Redirect and Server.Transfer.
Server.Transfer transfers page processing from one page directly to the next page without making a round-trip back to the client's browser. This provides a faster response with a little less overhead on the server.Server.Transfer does not update the clients url history list or current url. 
Response.Redirect is used toredirect the user's browser to another page or site. This performs a trip back to the client where the client's browser is redirected to the new page. The user's browser history list is updated to reflect the new address.
22. Where the assembly is stored in asp.net?.
private are stored in application / bin directory and public are stored in GAC.
23. How we implement Web farm and Web Garden concept in ASP.NET?.
A web farm is a multi-server scenario. So we may have a server in each state of US. If the load on one server is in excess then the other servers step in to bear the brunt.
How they bear it is based on various models.
1. RoundRobin. (All servers share load equally)
2. NLB (economical)
3. HLB (expensive but can scale up to 8192 servers)
4. Hybrid (of 2 and 3).
5. CLB (Component load balancer).
A web garden is a multi-processor setup. i.e. a single server (not like the multi server above).
How to implement webfarms in .Net:
Go to web.config and
Here for mode you have 4 options.
a) Say mode inproc (non web farm but fast when you have very few customers).
b) Say mode StateServer (for webfarm)
c) Say mode SqlServer (for webfarm)
Whether to use option b or c depends on situation. StateServer is faster but SqlServer is more reliable and used for mission critical applications.
How to use webgardens in .Net:
Go to web.config and
Change the false to true. You have one more attribute that is related to webgarden in the same tag called cpuMask.
24. Is there any limit for query string? means what is the maximum size?..
Servers should be cautious about depending on URI lengths above 255 bytes because some older client or proxy implementations may not properly support these lengths.
Query string length depends on browser compatability

IE supports upto 255
Firefox supports upto 4000
25. What is the exact purpose of http handlers?
ASP.NET maps HTTP requests to HttpHandlers. Each HttpHandler enables processing of individual HTTP URLs or groups of URL extensions within an application. HttpHandlers have the same functionality as ISAPI extensions with a much simpler programming model
Ex
1.Default HttpHandler for all ASP.NET pages ->ASP.NET Page Handler (*.aspx)
2.Default HttpHandler for all ASP.NET service pages->ASP.NET Service Handler (*.asmx)
An HttpHandler can be either synchronous or asynchronous. A synchronous handler does not return until it finishes processing the HTTP request for which it is called. An asynchronous handler usually launches a process that can be lengthy and returns before that process finishes
After writing and compiling the code to implement an HttpHandler you must register the handler using your application's Web.config file.

In Code Project  Website:

Introduction

There are a lot of articles available on different ways of managing the states in the web. I was not able to find details on Application Object and events. So I read different books and articles and thought of sharing my knowledge with all of you. Hope you will like it and give your feedback and suggestions.
As we all know, web is stateless. A Web page is recreated every time it is posted back to the server. In traditional web programming, all the information within the page and control gets wiped off on every postback. To overcome this problem, ASP.NET Framework provides various ways to preserve the states at various stages like controlstate, viewstate, cookies, session, etc. These can be defined in client side and server side state management. Please see the image below:

Figure: Options available to maintain the state

There are lot more written about most of them. In this article, I am going to explore mainly Application state, Application events and Application Objects.

Application LifeCycle

First, I am going to explain ASP.NET Application Lifecycle. One needs to really understand the application Lifecycle, so that one can code efficiently and use the resources available. Also it is very important to discuss, as we are going to Application level events, objects, etc.
ASP.NET uses lazy initialization technique for creating the application domains, i.e., Application domain for an application is created only when the first request is received by the web server. We can categorise Application life cycle in several stages. These can be:

• Stage 1: User first requests any resource from the webserver.
• Stage 2: Application receives very first request from the application.
• Stage 3: Application basic Objects are created.
• Stage 4: An HTTPapplication object is assigned to the request.
• Stage 5: And the request is processed by the HTTPApplication pipeline.

I'll explain the points one by one.
Stage 1: The Application life cycle starts when a user hits the URL by typing it in the browser. The browser sends this request to the webserver. When webserver receives the request from the browser, it examines the file extension of the requested file and checks which ISAPI extension is required to handle this request and then passes the request to the appropriate ISAPI extension.

Figure: URL Processing

Note 1: If any extension is not mapped to any ISAPI extension, then ASP.NET will not receive the request and the request is handled by the server itself and ASP.NET authentication, etc. will not be applied.
Note 2: We can also make our own custom handler, to process any specific file extension.
Stage 2: When ASP.NET receives the first request, the Application manager creates an application domain for it. Application domains are very important because they provide the isolation amongst various applications on the webserver and every application domain is loaded and unloaded separately, and in application domain an instance of class HostingEnvironment is created which provides access to information about all application resources.

Figure: ASP.NET Handling first request

Stage 3: After creating the application domain and hosting environment, ASP.NET initializes the basic objects as HTTPContext, HTTPRequest and HTTPResponse. HTTPContext holds objects to the specific application request as HTTPRequest and HTTPResponse.HTTPRequest contains all the information regarding the current request like cookies, browser information, etc. and HTTPResponse contains the response that is sent to client.
Stage 4: Here all the basic objects are being initialized and the application is being started with the creation of HTTPApplication class, if there is Global.asax (It is derived from HTTPApplication class) in the application, then that is instantiated.

Figure: Multiple requests processed by ASP.NET

Note: When the application is accessed for the first time, the HTTPApplication instance is created for further requests. It may be used for other requests as well.
Stage 5: There are a lot of events executed by the HTTPApplication class. Here, I have listed down a few important ones. These events can be used for any specific requirement.

What is Global.asax

To handle application events or methods, we can have a file named Global.asax in the root directory of your application. At any single point of time, an HTTPApplication instance handles only one request, so we don't need to think about locking and unlocking of any non static members, but for static members we do require. I'll discuss it in detail in a later section of this article. Following are the commonly used events in the global.asax file.

Figure: Methods in Global.asax

Application Restarts When

If we are going to change the source code, then ASP.NET requires to recompile into assemblies and also the application will restart as well. In spite of this, there are also certain things that force the application to get restarted. If we'll change in the following folder whether adding, modifying or deleting, the application will restart:

• Any changes in the application's bin folder
• Changes in Localisation resources, i.e., App_GlobalResources or App_LocalResources folders

·         Changes in Global.asax file

·         Modification of any source code in App_code folder

• Any changes in web.config file
• Any changes in the webservice references, i.e., App_WebReferences folder.

Application State:Intro

Application state is one of the ways available to store some data on the server and faster than accessing the database.The data stored on the Application state is available to all the users(Sessions) accessing the application. So application state is very useful to store small data that is used across the application and same for all the users. Also we can say they are global variables available across the users. As I am saying small data, we should not store heavy data in ApplicationState because it is stored on the server and can cause performance overhead if it is heavy. We'll discuss it later. Technically the data is shared amongst users via HTTPApplcationState class and the data can be stored here in key value pair. It can also be accessed through Application property of the HTTPContext class.

How Application State Works

As I have already discussed above, an instance of HttpApplicationState is created when first time a request comes from any user to access any resource from the application. And this can be accessed through the property Application property of HTTPContext Object. All HTTPModules and Handlers have access to this property. The lifetime of the values spans through the lifetime of the ASP.NET application until the application is unloaded. Normally, we set these Application variables in Application_OnStart event in Global.asax file and access and modify through ASP.NET pages.

How to Save values in Application State

One thing to keep in mind is that application state stores the data as of Object type, so at the time of reading, the values we need to convert it in the appropriate type.
So normally, we use to store the Application wise data in Application state which is shared across the users. So we can save the data in Application_OnStart method in Global.asax file as:

Collapse

void Application_Start(object sender, EventArgs e)

{ 

Application["Message"] = "Welcome to my Website"; 

}

We can also save object of some Class in Application variable. Let's say we have a class as:

Collapse

/// <summary>

/// Summary description for Employee

/// </summary>

public class Employee

{

    private string _name;

    public string Name {

        get

        {

            return _name;

        }

        set

        {

            _name = value;

        } 

    }

    private decimal _annualSalary;

    public decimal AnnualSalary

    {

        get

        {

            return _annualSalary;

        }

        set

        {

            _annualSalary = value;

        }

    }

               public Employee()

               {

                               //

                               // TODO: Add constructor logic here

                               //

               }

}

Put this class file in App_Code folder. Now class will be available throughout the application so also in Global.asax. Now to save it in Application_OnStart as:

Collapse

   void Application_Start(object sender, EventArgs e) 

    {

        Employee objEmployee = new Employee();

        objEmployee.Name = "Brij";

        objEmployee.AnnualSalary = 1000000;

        Application["EmployeeObject"] = objEmployee;

    }

Note: Here one thing I would like to mention is that we don't require to serialize the object to store in Application state as we need to keep in mind in case of viewstate, etc. So there is no need of serialization here. :) We can also modify these values from any method in the application. Here I am modifying Application["Message"] in onclick method of a button in a page as:

Collapse

protected void Button1_Click(object sender, EventArgs e)

    {

        Application["Message"] = "Welcome Dude!!";

    }

Now we'll get the modified values whenever we try to access it. Let's also add a new variable on another button Click event as:

Collapse

 protected void Button3_Click(object sender, EventArgs e)

 {

     Application["NewValue"] = "Hello";

 }

This value will also be available throughout the application life. One thing I also want to discuss is that Application state is not thread safe so it can be accessed by multiple threads at the same time, i.e., if we have stored some value in Application state say some counter and we increase it whenever a particular page is accessed. So at a single point of time, two instances of page of a different session can read the same value and update it. So we'll not get the desired result. So here we need some synchronisation mechanism so that at a single point of time only, one can update its value. Here we can call the System.Web.HttpApplicationState.Lock method, set the application state value, and then call the System.Web.HttpApplicationState.UnLock method to unlock the application state, freeing it for other write or update it as:

Collapse

  if (Application["Counter"] != null)

        {

            Application.Lock();

            Application["Counter"] = ((int)Application["Counter"]) + 1;

            Application.UnLock();

        }

So by this way, we can avoid writing the same value from multiple Threads at the same time.

How To Read Values from Application State

So to read from Application state is fairly simple. We should just have a safety check to see whether the value we are accessing is null, if the data will not be in Application state is not there then it will return null and if we'll try to cast it in any different type, it'll throw an exception. As I already discussed, Application state stores the data in object form so we need to typecast after reading it. So we can read the value as:

Collapse

if(Application["Message"] !=null)

{

      string message = Application["Message"] as string;

}

The object also can be read as:

Collapse

if (Application["EmployeeObject"] != null)

{

    Employee myObj = Application["EmployeeObject"] as Employee;

    string Name = myObj.Name;

}

A Classic Example of Application State

A classic example of Application variable can be to show the number of online user in a website. This can be done in the following steps:

• Add an online counter variable ApplicationStart method of Global.asax file as:

Collapse

Application["OnlineCounter"] = 0; 

So in this, a variable will be added when the application first starts and will be initialized to 0 as there will be no logged in user at that point of time.

• Now as we know whenever a new user opens the website, a new session is created and Session_Start method of Global.asax is called. So we can increase the counter in this method as:

Collapse

    void Session_Start(object sender, EventArgs e) 

    {

        // Code that runs when a new session is started

       if (Application["OnlineCounter"] != null)

        {

            Application.Lock();

            Application["OnlineCounter"] = 

                                  ((int)Application["OnlineCounter"]) + 1;

            Application.UnLock();

        }

    }

We should use the Locks, else we may get the wrong result because this may be updated at the same time and updated data is not correct. How: Let's say we currently have Application["OnlineCounter"] is 5 and at the same time, two sessions read the value 5 and make an increment to 6 and updated it. Application state as 6. So although two users are logged in, the counter is increased by one only. So to avoid this, we should use the locks.

• So also at the time session ends, we should decrease it by one. As I already discussed, an event Session_End is fired whenever a session ends. So it can be done as:

Collapse

    void Session_End(object sender, EventArgs e) 

    {

        // Code that runs when a new session is started

        if (Application["OnlineCounter"] != null)

        {

            Application.Lock();

            Application["OnlineCounter"] = 

                   ((int)Application["OnlineCounter"]) - 1;

            Application.UnLock();

        }

    }

• And this value can be accessed throughout the application at any point of time in the application as:

Collapse

  if (Application["OnlineCounter"] != null)

        {

            int OnlineUsers = ((int)Application["OnlineCounter"]);

        }    

and this value can be used anywhere in the application.

Application State: Points to Think About Before Using

• Application state is stored in memory of webserver, so huge amount of data can cause severe performance overhead. Also keep in mind that these variables will be stored in memory till the application ends whether we need the entire time or not. So use it judiciously.
• If the application goes down or is restarted, then all the data stored in Application state is lost.
• Also Application data is not shared between multiple servers in webfarm scenario.
• Application also doesn't work in case of Webgarden. Variables stored in application state in either of those scenarios are global only to the particular process in which the application is running. Each application process can have different values.
• Application state is not thread safe, so we must keep the synchronisation in mind as discussed above.

Application State vs Caching

Although both provide the same feature and can be used to store the data at application level, there are a lot of differences between both.

Sr No	Application State	Cache
1	Application variables are one of the techniques provided by ASP/ASP.NET to store the data at application level and this is available to all users.	Cache is one technique provided by ASP.NET to store the data at the application level with many options.
2	Application variables are available throughout the lifecycle of the application until explicitly removed or overridden.	Cache is volatile. It provides the opportunity to automatically expire the data based on the settings or memory gets reclaimed when memory is scarce.
3	Application variable should be used only when data is limited, i.e., it should not be like we store some dataset and keep adding the data in same, which may lead to choke the webserver	Cache provides a flexible way to store data on the webserver and also get removed when memory becomes low.

Cookies

A cookie is a small file which is stored in the visitor's hard disk drive. This is helpful for storing small and trivial information. According to the RFC [^] , a cookie can have a maximum size of 4KB. The web server creates a cookie, attaches an additional HTTP header to the response, and sends it to the browser. The browser will then create this cookie in a visitor's computer and includes this cookie for all further requests made to the same domain. Servers can read the cookie value from the request and retain the state.
The server adds the following to the HTTP header for creating a cookie

Collapse | Copy Code

  Set-Cookie: key=value

The browser reads the above value and creates cookies at the user's end. It adds the cookie value to the request like

Collapse | Copy Code

  Cookie: key=value

Note: The location where the cookie is stored is completly controlled by the browser. Sometimes it may keep the cookie in its memory instead of creating a file.
Creating and using a cookie is trivial in ASP.NET. The HttpCookie class is a key/value collection which allows storing string values. The following code shows how to create a cookie and send it to the client. Cookies are added using Response property and retrieved using Request.

Collapse | Copy Code

  Response.Cookies["id"].Value = "10";

Since no expiry time specified, a cookie added like the above method will be cleared by the browser immediately when it is closed. If you would like to keep the cookie for a long time, you have to use the HttpCookie.Expires property set with an expiration date. The following code shows how to do that.

Collapse | Copy Code

  // this cookie expires after one day from the date it is set

  // browser will take care about removing the cookies after the expiry time

  Response.Cookies["id"].Value = "10";

  Response.Cookies["id"].Expires = DateTime.Now.AddDays(1);

Once you set the cookie, the browser will include it for every request. You read the cookie from the Request.Cookies collection by specifying cookie name. Consider the following code

Collapse | Copy Code

  // for safety, always check for NULL as cookie may not exist

  if (Request.Cookies["id"] != null) {

       string userId = Request.Cookies["id"].Value;

       Response.Write("User Id value" + userId);

  }

Cookies are managed by the browser and will take care about removing expired cookies. If you need to remove a cookie before the expiry period, you have to create a cookie with the same name and with an expiry date that is already passed. This will make browser think that the cookie is expired and will be removed immediately. Here is how you do that

Collapse | Copy Code

  Response.Cookies["id"].Expires = DateTime.Now.AddDays(-1);

Some Useful Properties you Must Know Before Using Cookies

Property name	Description
Domain	Specifies which domain is associated with this cookie. Default is the current domain. See security constraints later in this article
Expires	A DateTime value specifies the expiry time of the cookie
HttpOnly	Cookies can be accessed using java script. Setting this property prevents cookies being accessed from java script
Secure	Set this if cookies are transmitted over SSL
Name	Cookie name
Value	Cookie value (string)

Multi-valued Cookies

RFC states that a browser should not store more than 20 cookies from a domain. Multi-Valued cookie is very handy when you have more items to keep in cookie. To create a multi-valued cookie, you instantiate the HttpCookie instance and set it's values. Consider the following code

Collapse | Copy Code

  HttpCookie cookie = new HttpCookie("user");

  cookie["name"] = "Foo";

  cookie["age"] = "22";

  cookie.Expires = DateTime.Now.AddDays(1);

  Response.Cookies.Add(cookie);

Here is how you read it

Collapse | Copy Code

  HttpCookie cookie = Request.Cookies["user"];

  // for safety, always check for NULL. If cookie doesn't exist, it will be NULL

  if (cookie != null) {

      string name = cookie["name"];

      string age = cookie["age"];

  }

  else

     // Cookie not exist

A Practical Example

You might have noticed the "Remember me next" time option in most of the websites. This is done using cookies. The following steps will be involved when you choose this option.

• When the user checks the "Remember me next time" option, create a cookie with a value to identify the user (eg: user id).
• When the page loads, check for cookie existence. If it exists, read the cookie value.
• Authenticate the value and create a session.

Security Constraints

Since cookies are stored in the visitors computer, to prevent it from harming the system, browsers ensure some security constrains to cookies. THe following points explain the security constraints:

• Cookies are specific to domains, which mean that a cookie set from "DomainA" is not accessible to "DomainB". Browsers store the domain with each cookie and will ensure it won't be sent to another domain.
• Other restriction is in size. Browsers will not allow storing cookies for more than 4KB from a domain.
• Browsers provides the option to disable cookies

Proper design of the application can avoid malicious attacks through cookies. Consider a website which sets the current user id in a cookie for retaining the user account information in subsequent visits. Since the cookie is kept in the visitor's system as plain text, the user can always goto the folder where the cookie is kept and change the user id to some other value. When the website is requested again, it will use the new user id which will give the hacker access to the new account.
While cookies are mostly used for storing account information, they are really not intended for such use. You should always take precautions to avoid hacks like the above by encrypting the values before keeping in cookie.

Pros and Cons

A cookie is a very handy and easily usable state management technique. It is useful when you want to keep small information that is needed for long periods of time. The processing overhead of cookies is much less compared to sessions. However, it has the following disadvantages:

• Cookies have a size limitation of 4KB. Storing huge information is not possible.
• Cookies can be easily tampered as they are kept in the client's machine. So additional security checking has to be done when using them.
• The user can disable cookies.

Session State

A cookie is very simple and is not suitable for sophisticated storage requirements. Session state is a workaround for this problem and it gives a method to keep more complex objects securely. ASP.NET allows programmers to keep any type of objects in session. Data stored in session will be kept in server memory and it is protected as it will never get transmitted to a client. Every client that uses the application will have separate sessions. Session state is ideal for storing user specific information.
The following code shows storing a string value in session.

Collapse | Copy Code

 Session["name"] = "Navaneeth";

Session accepts a System.Object type. So you need a type cast when reading. Reading values from session is like

Collapse | Copy Code

 string name = Session["name"] as string;

 // null checking is needed as session may not exist

 if(!string.IsNullOrEmpty(name))

      // use the name here

Values stored in sessions can be removed by several methods. The following table shows different methods used.

Method	Description
Session.Abandon()	Cancels the session and fires end event. This is used when you are done with the session.
Session.Clear() / Session.RemoveAll()	Clears all contents of the session. This will not end the session
Session.Remove(string)	Removes the session name supplied.

How Session Works?

ASP.NET maintains a unique id which is called as "session id" for each session. This id is generated using a custom algorithm and it is unique always. Session id will be sent to the client as a cookie and the browser resends this upon each request. ASP.NET uses this session id to identify the session object. The following code shows how to get the session id

Collapse | Copy Code

 string sessionId = Session.SessionID;

If you haven't stored anything in the session, ASP.NET will generate a different session id for each request. Once a session has contents, the session id will not change. Session id is the only information which is sent to the client about sessions. As said before, ASP.NET sends session id in a cookie named ASP.NET_SessionId. But this will not work if cookies are disabled by the visitor. In such cases, ASP.NET passes session id through the URL. This behaviour can be controlled by adding the following section to web.config file under the system.web section.

Collapse | Copy Code

<sessionState 

      cookieless="UseUri" />

Note: ASP.NET AJAX extensions won't work as expected if this is enabled.

Session Timeout

Each session will have a timeout value (default 20Mins). If the page is not getting any requests within the timeout limit specified, ASP.NET will assume that the user has left the application and it immediately terminates the session and fires the End event. This helps the server to cleanup unused sessions and gives room for new requests. Timeout value can be changed from web.config file or through code. Timeout value is specified in minutes.

Collapse | Copy Code

 <sessionState 

        timeout="60" />

 or

 Session.Timeout = 60;

Session Timing out Frequently

I have seen many questions on discussion forums which state, "My session timeout is 60 minutes and it is timing out before that." Well, ASP.NET will clear session when any of the following happens

• ASP.NET worker process recycles frequently. When this happens, it will clear all active sessions.
• When files like web.config or application assemblies are modified, ASP.NET will recyle the worker process.

Where Session is Stored?

ASP.NET allows three types of session storage which are described below

Mode	Configuration	Storage location	Description	Pros/Cons
InProc	<sessionState mode="InProc" />	ASP.NET processes memory area	This is the default session storage. Session data will be kept in the server memory. InProc mode is a high performant as it reads from the same processes memory and it allows you to keep all .NET types. If session mode is not specified, ASP.NET will use InProc as the default mode.	As the InProc mode keeps data in same processes memory area, any impacts happened for the ASP.NET worker process will affect the session data.
StateServer	<sessionState mode="StateServer" stateConnectionString= "tcpip=Yourservername:42424" />	Server memory as a seprate process	StateServer mode provides a basic level of isolation for the data storage. It runs as a separate windows service and keeps the session data out of ASP.NET process memory area. To access session, ASP.NET process has to communicate with this external process.	It is less performant compared to InProc mode. But this helps you to avoid loosing session data when ASP.NET worker process restarts.
SQL Server	<sessionState mode="SQLServer" sqlConnectionString="..." />	In SQL server database	If you still need more resillient storage, SQLServer mode is the choice. It allows to keep session data in SQLServer. This is helpful when your web application is hosted in a webfarm.	Slow data access Allows to store only serializable types

If any of the above discussed methods are not satisfying your storage requirements, ASP.NET allows to specify a custom storage provider. This [^] article shows how to do this.

Usage and Best Practices

Incorrect usage of session will blow up your application. The most common error users make is the NULL reference exceptions when using sessions. Consider the following code

Collapse | Copy Code

  // bad code ! don't use

  string name = Session["name"].ToString();

This code is problematic as session["name"] may not exist or may be NULL and ToString() will be called on that NULL reference which will throw the common "Object reference not set to an instance of the object" error.
Another problem with session is that it is not strongly typed. Session keeps System.Object type which means every .NET type can be kept in session. Consider the following code

Collapse | Copy Code

 Session["age"] = "I can store a value that is not number!";

Since it is not strongly typed, Session["age"] can contain any value and you will have problems when using this. Also, you may make typing mistakes when typing the session names. This will also lead to unexpected behaviours. The following section describes workarounds for these problems.

Wrapping Session in a Strongly Typed Class

To workaround the above problems, we can create a strongly typed wrapper classes around the session and route all calls to session through this wrapper. Consider a simple scenario where you need to keep user details like name, age, email validated etc in a session. We create a class to represent all required fields. See the following code

Collapse | Copy Code

 public class PersonSession

 {

    // This key is used to identify object from session

    const string KEY = "personDetails";

    public PersonSession(int id,string name,int age,bool emailValidated)

    {

        this.Id = id;

        this.Name = name;

        this.Age = age;

        this.HasEmailValidated = emailValidated;

    }

    public static PersonSession GetPersonSession() {

        return HttpContext.Current.Session[KEY] as PersonSession;

    }

    public static void CreatePersonSession(PersonSession person) {

        HttpContext.Current.Session[KEY] = person;

    }

    public int Id { get; private set; }

    public string Name { get; private set; }

    public int Age { get; private set; }

    public bool HasEmailValidated { get; private set; }

 }

The above given class abstracts the session access and provides a clear interface to access the session contents safely. The static methods CreatePersonSession and GetPersonSession can be used to create and get details of a person from session. The following code shows how to store person details into session.

Collapse | Copy Code

 PersonSession person = new PersonSession(int.Parse(txtPersonId.Text),

            txtName.Text, int.Parse(txtAge.Text), chkEmailValidated.Checked);

 PersonSession.CreatePersonSession(person);

To retrieve person details, you need to do

Collapse | Copy Code

 PersonSession person = PersonSession.GetPersonSession();

 // if session not exist, this will return NULL

 if (person != null) {

    // person exist. Use person's properties to get values

 }

Note: HttpContext.Current.Session is needed when accessing from a class that is not derived from System.Web.UI.Page.

Base Page Class Approach

Assume that you need to prevent users from seeing your page unless person details exists in session. You may end up doing the following code for all the pages that needs to be secured.

Collapse | Copy Code

 protected void Page_Load(object sender, EventArgs e)

 {

        PersonSession person = PersonSession.GetPersonSession();

        // if session not exist, this will return NULL

        if (person == null) {

            // session not exist. Redirect user to login page

        }

 }

Writing the above code in all pages that needs session is redundant. It is very tough to make a change if something got changed in the session wrapper class-PersonSession. The recommended approach is to keep a base page class which is derived from System.Web.UI.Page and all your pages which need PersonSession should inherit from this base page class. This allows you to do the session checking in the base class and redirect the user if required. The following diagram shows this approach.

We create two classes NormalPage and SecuredPage both derived from System.Web.UI.Page. SecuredPage overrides the OnInit method which looks like this:

Collapse | Copy Code

 protected override void OnInit(EventArgs e) {

        base.OnInit(e);

        // check the person details existance here

        PersonSession person = PersonSession.GetPersonSession();

        if (person == null) {

            Response.Redirect("NotLogged.aspx");

        }

        else

            this.Person = person;

 }

If person details are not found in the session, it redirects to the NotLogged.aspx page and it sets the Person property if session exists. Classes which derive from this class can use this Person property to access the person details. Usage of this class is pretty straightforward. See the following code.

Collapse | Copy Code

 public partial class AuthenticatedPage : SecuredPage

 {

    protected void Page_Load(object sender, EventArgs e)

    {

        lblMessage.Text = "Session exist";

        lblMessage.Text += string.Format("Person Id : {0}",Person.Id);

        lblMessage.Text += string.Format("Person Name : {0}", Person.Name);

        lblMessage.Text += string.Format("Person Age : {0}", Person.Age);

        lblMessage.Text += string.Format("Email validated? : {0}", Person.HasEmailValidated);

    }

 }

Note: We are not using NormalPage here. If you have any particular behaviour common for all non-authenticated pages, this class is the best place to add that.
That's all about sessions. When using it, try not to abuse sessions. Overusing sessions may degrade your application performance.

Application State

ASP.NET implements application state using the System.Web.HttpApplicationState class. It provides methods for storing information which can be accessed globally. Information stored on application state will be available for all the users using the website. Usage of application state is the same as sessions. The following code shows storing a value in an application variable and reading from it.

Collapse | Copy Code

 Application["pageTitle"] = "Welcome to my website - ";

 // Reading the value from application variable

 string pageTitle;

 if (Application["pageTitle"] != null)

      pageTitle = Application["pageTitle"].ToString();

Understanding Session and Application Events

Before we discuss the practical usage of application state, you should get a basic knowledge about the events associated with application and session. These events can be seen in the global.asax file. See the following table for the details.

Event name	Description
Application_Start	This event executes when application initializes. This will execute when ASP.NET worker process recycles and starts again.
Application_End	Executes when the application ends.
Session_Start	Executes when a new session starts.
Session_End	Executes when session ends. Note : this event will be fired only if you are using InProc as session mod.

A Practical Example

The most common usage of application variables is to count the active number of visitors that are browsing currently. We can utilize session_start and session_end events to do this. The following code shows how this is done.

Collapse | Copy Code

 void Application_Start(object sender, EventArgs e) 

 {

     // Application started - Initializing to 0

     Application["activeVisitors"] = 0;

 }

 void Session_Start(object sender, EventArgs e) 

 {

     if (Application["activeVisitors"] != null) {

         Application.Lock();

         int visitorCount = (int)Application["activeVisitors"];

         Application["activeVisitors"] = visitorCount++;

         Application.UnLock();

     }

 }

You might have noticed Application.Lock() and Application.UnLock() calls. ASP.NET is multithreaded and this is required to synchronize data when multiple visitors access the site at the same time.
Application state is not providing any timeout method like session. Application state will be available until the application ends. So one should be very careful when using application state. You should explicitly cleanup the values stored when you are finished using it.

Keeping State in Static (shared in VB) Variables

Static variables will have a lifetime until the application domain where it is hosted ends. ASP.NET hosts each website in a separate application domain to provide isolation with other websites hosted on the same server.
Consider you have a page where all product details are displayed. Product details are fetched from the database and filled into custom collection and returned back to the page. To avoid fetching product details all time for each visitors, we can load it when it is requested for the first time and keep it in a static variable to serve for the next requests. Consider the following Product and ProductServices class.

Collapse | Copy Code

 class Product

 {

        public Product(int id,string name) {

            this.Id = id;

            this.Name = name;

        }

        public int Id { get; private set; }

        public string Name { get; private set; }

 }

 class ProductService

 {

        static List<Product> products = null;

        static readonly object locker = new object();

        public static List<Product> GetAllProducts() {

            // If product is NULL, loading all products and returning

            if (products != null) {

                lock (locker) {

                    if (products != null) {

                        // fill the products here

                    }

                }

            }

            return products;

        }

 }

The above given code is self explanatory. The variable products will have a lifetime until the application domain unloads. When ProductService.GetAllProducts() is called for the first time, it fills the collection and return. For the further requests, it will just return the collection which is already filled.
Values kept in static variables are accessible to all visitors in the website. So you should take extra care when writing methods like the above. You need locking because multiple visitors may call the GetAllProducts method at the same time.
The above given example is an implementation of the " Singleton pattern [^] ".

Profiles

Session data is lost when the visitor leaves the webpage. What if you need to persist all the user information for a long time? ASP.NET Profile is the answer. It provides a neat way to persist information for a long time. Creating a profile is trivial. You only need a few entries in the web.config file as seen below

Collapse | Copy Code

 <profile>

    <properties>

       <add name="Id" type="Int32"/>

       <add name="Name"/>

       <add name="Age" type="Int32"/>

    </properties>

 </profile>

ASP.NET generates a strongly typed class for accessing profile data. Data type for the properties are chosen depending upon the type value. Default type is string if no type is specified. Following code shows setting values and reading back from profile.

Collapse | Copy Code

 Profile.Name = txtName.Text;

 Profile.Id = int.Parse(txtPersonId.Text);

 Profile.Age = int.Parse(txtAge.Text);

 // to read profile value, use

 int age = Profile.Age;

 string name = Profile.Name;

 int id = Profile.Id;

ASP.NET keeps the profile data in SQLServer database. If no databases are available in the project, it creates a database file in the app_data directory when it is used for the first time. Profiles are implemented using the provider pattern. SQLProfileProvider is the default profile provider. Profiles use windows authentication by default. Profile object can be used with any authentication modes supported by ASP.NET.
Profile is very handy in many situations. However, it has the following drawbacks

• It allows to keep only serializable types
• Reading data from profile requires database access which can potentially make your application less performant. If your website uses profiles heavily, you have to cache the results to avoid unncessary database calls.

This is a high level overview of profile. There are many other features profile offers such as groups, anonymous access etc. Explaining whole profile detail is beyond the scope of this article. Check this [^] MSDN article for more details.

Hacking ViewState

ViewState is already explained in the previous section [^] . Articles that talk about viewstate always say, it is less secure and not good for keeping secure information. Let us see how a viewstate value can be hacked.
Data kept in Viewstate is serialized using LosFormater, a less known class used for serialization. LosFormatter is helpful to serialize simple types and it produces ASCII string representation of the object graph. The following code shows using LosFormatter.

Collapse | Copy Code

  [Serializable]

  class Customer

  {

       public Customer(int age,string name) {

           this.Age = age;

           this.Name = name;

       }

       public int Age { get; set; }

       public string Name { get; set; }

  }

  string Serialize() {

     // Creating customer object

     Customer customer = new Customer(25,"Navaneeth");

     // formatting

     LosFormatter formatter = new LosFormatter();

     using (StringWriter output = new StringWriter()) {

        formatter.Serialize(output, customer);

        return output.ToString();

     }

  }

The above code serializes the object graph and produces an ASCII string which can be transmitted over HTTP.
The following code shows decrypting viewstate values.

Collapse | Copy Code

  object HackViewstate(string viewStateValue) {

        LosFormatter formatter = new LosFormatter();

        return formatter.Deserialize(viewStateValue);

  }

The following figure shows the contents of the object which is deserialized

This gives you a clear explanation of why secured data should not be kept on viewstate.

Conclusion

This article tackled the state management techniques used in ASP.NET. You have learned what is HTTP protocol and the need for state management. We discussed the stateless architecture of HTTP protocol and how a website works.
In the second section, we discussed QueryString and how it helps to maintain information across different pages. We also discussed about hackable URLs and some best practices for using it.
The third section discussed the usage of cookies. We have seen the pros and cons of cookies. We also discussed multi-valued cookies which helps to overcome the number of cookies a website can set. Security constraints and a practical example have also been discussed.
The next section discussed "Session state" which provides more sophisticated storage. We have seen how session works, session modes and best practices for using it. We have also discussed about session timeout and cookie-less sessions.
"Application state" is discussed in the next section. Discussed about the events which are associated with session state and application state. We have seen a practical example where application state is very handy. Then we discussed about storing the state in static(shared in VB) variables. We have seen the lifetime of a static variables and how locking is used to synchronize access between multiple threads. Profiles are very handy when you need to persist information for long periods of time. We have discussed profiles in the next section and seen simple usage of profiles.
Finally, we discussed viewstate hacking techniques and proved secured information should not be kept on viewstate. We discussed about the serialization class LosFormatter and how it works.
That's all about this article. I hope you will find it helpful. I'd appreciate if you rate this article and leave your feedback below.
Thank you for reading, happy coding!