Session is a special type of variable or object that is used in state management in web applications. A web application works as a disconnected or asynchronized architecture as when a client request a page the web server hosting the requested application serves the requested page to client and then it doesn't know about who has requested a page or if the client sends another request to server or web application it doesn't know if the same client has sent request prior to this one.
So now in the given scenario for any dynamic web application if the application needs to track the client or user for processing, there should be some way to track the users. The web application has two most common ways to do the same, Cookies and Session.
Cookies and Session are different as
• Cookies are a piece of information stored at client machine in small files where as the session is maintained by server.
• Cookies can persist long for several days but Session has a smaller life span and at the max for one session of a browser.
Our emphasis here will be on Session only. We are not talking about any specific web technology here as the concept discussed here holds true for most of the web technologies. Just the syntax and semantics of a language differs.
The life span of a Session is for one browser session only, that means the session will be maintained till one browser session is on and the moment browser is closed the session for that particular browser ends. The web application fires two event in relation with Sessions such as Session_Start() and Session_End(). The names of events might differ for different programming language used. Session_Start is called when user sends a request for a web page for first time to the application and Session_End is called when the user closes the browser. So these events can be used for variable initialization and clean up jobs.
For the Session variables that developer creates to use in the application the developer decides the life span, so it comes into existence when developer explicitly creates them and goes out of scope when developer destroys it. If in any case if the developer forgets to destroy or do a clean up on session variable that he has created, the Session variable will still be lying alive with server and will be cleaned up if server or application restarts or the clean up process is run.
When is it created
Session is created when user sends a first request to the server for any page in the web application, the application creates the Session and sends the Session ID back to the user with the response and is stored in the client machine as a small cookie. So ideally the "machine that has disabled the cookies, session information will not be stored".
When is it destroyed
The Session is destroyed the moment you close the browser at user end. For the new request a new Session will be created and the Session id will be sent to the client machine. Two different browser opened on the same machine will cause creation of two separate Session, one for each browser if they call the same web application. Though the browser Session comes to the end when user closes the browser however there is no way for the server to get if the information if the user has closed the browser so the Session is still alive at the server. If the server doesn't get another request from the user for the time specified for Session timeout then the Session will be timed out and later will be cleaned up.
Where is it created
Session creation place is a big question for most of us. But it is simple that the Sessions are created at server, it takes up server resources and the Session ID is stored as a small piece in Cookies at client end. So it will remove it from user's machine when the particular browser is closed. And from server for general Session it will destroy when user closes the browser and session reaches the timed out state. But if developer specifically creates Session variables in application he must clear and abandon explicitly or hanging Session variables will be left at server it clean up process is called up.
When to or not to use
This is again a tricky question about when to or not to use the session. We use Sessions when we need to or we want to track the user for a particular Session. For example the pages are driven by a user specific data you create Session and track the user for the customized content on the page.
I have seen many new comers use the Session just as a medium to pass the value from one page to another, no this is a big NO, Sessions are not meant for that though can be used, but there are different and more efficient ways to pass to values from one page to another page. Sessions are created for different purpose; don't try to have your soup with fork by using Session to just pass values from one web page to another. Use Sessions to store a value that is to be used across Session or on multiple pages. Remember Session variables takes up the server resources hence each Session variable created is a burden on the server. So be careful about the needs when you create a Session variable.
Important point to note while creating a session
Be very careful about your needs while creating Session and at the same time what ever Session variables you create must be destroyed properly. If we just think that when browser closes the Session is over and so our duty too is over, no that's wrong. If we create any Session variable we must destroy them as well else they will still be hanging live at server (till the garbage collection is done by the server) even though the browser is closed by user. And this can cause a server crash in some cases if you expect a heavy traffic on your web application.
So now here as a closing note we can say that Session is a way for any web application to track its request or users, providing user specific content on the page. Session is a great way to trace the user; access the information across the pages in the application but at the same time must be used wisely as it is always advice to use minimum Session variable in you web application. In the next article, I will examine the Session handling with .NET in detail.
1. How many sessions will be created if I open one browser to open a web application, log in to that, log out and again login with different user name in the same browser?
2. How many sessions will be created if I open two browsers and the same web application?
3. What will happen if I copy and paste the URL of a web application that I have logged into, to another web browser and load that?
Thanks a lot for this lovely and simple article. It's a well categorised article.
I will wait for your next one(Session in .NET)
In short many important notes about Session is mentioned in this article. Nicely described.
I would like to know some more technical details like "What kinds of object can I store in session state? Is there any security velnerability of using session objects?"
Session do not destroy at time browser is closed.
Actually the sessions are destroyed at either we delete them mannually
or after certain time whether browser is closed or not.
Like if we open our mail & left pc open. After sometime we will find that session is destroyed on its own.
Also if the time is set more than the time browser closed, session remains there.
It is obvious, as if browser close will tell session destroy, it has to send some data to server. But as we close the browser, there is no further transfer of data to server.
Session Management has nothing to do with when a browser is closed.
Session lapses when the time out is expired even though the browser is open
Thanks for your valuable feedback.
About the "session destroy over browser closer", I guess i am making it clear what you are saying, if you read the complete para
"Though the browser Session comes to the end when user closes
the browser however there is no way for the server to get if the information if the user has closed the browser so the Session is still alive at the server. If the server doesn't get another request from the user for the time specified for Session timeout then the Session will be timed out and later will be cleaned up.
PS: Your feedback helps me improve :)
I want to insert/update signout time when user close the browser without doing signout properly using C#/Asp.Net 2.0. Is it possible and how?
Please help in this..
Good Article but little bit error in session destroying.
Thanks this is really helpfull.
But if after logout if the session will not be killed completely, then how to kill the session ?
Good explanation to know the sessions for beginners
That's is good post.
Very useful for the developers.
Keep posting more and more......
Thanks for the great article.
Could you please explain where exactly the session resides.
To my knowledge, we have three opiton,
1 in proc
2 state server
3 sql server
My doubt is with where session goes in case of "state srever" and "in proc"
You have clearly mentioned that session is created by our application..
But i still have doubt that weather session is created by the server or by our application which resides on the server.
You are right we have three different type of options to store session.
Session maintained in the website process is
called Inproc Session.
Restarting website will erase the session.
2.State server session:
Session maintained out side the website in the
state server is called state server session.
Restarting state server will erase the session.
3.Sql server session:
Session maintained out side the website in the
Sql server database is called sql server session.
Session is maintained until we delete from the
If you learn't from defeat..
You haven't really lost..