blog posts

Session State module settings in IIS

In this article, we will examine the types of Session State and how to configure this module in IIS 7.5, using the following two methods:

Session State module configuration levels in IIS

  • Web Server
  • Site
  • Application
  • Physical and Virtual Directories
  • File (URL)

Modules and handlers:

The necessary modules and handlers must be installed and activated on each of the above levels on the web server.

Note: Modules can only be activated at Web Server, Site, and Application levels, but handlers can be activated at any of the mentioned levels.

Access level required to configure the Session State module in IIS

If you use IIS Manager to configure Session, you must have Administrator access or be an IIS Manager user with access rights to a site or an application in IIS Manager.

Note: If you are just a regular user in IIS Manager, you may not be able to configure the Session State module if the configuration elements related to it are locked. If you configure Session State through Appcmd.exe, run WMI scripts or edit configuration files, you must have the right to apply Write to the desired configuration file or files.

Activation of the In-Process state in the Session State module:

The In-Process state in the Session State module stores the Session State data for the ASP.NET application in the operator process (which executes the application). By default, Session State in IIS 7.5 is In-Process. In-Process state is for quick access to Session-State data. However, the more data you store in the Session, the more memory you will use of the web server, which will slow down the server performance. Before you configure the In-Process state in the Session State module, you should consider the impact of operator process recycling on the Session State data. If the operator process is recycled, all Session State data will be lost. If your ASP.NET applications need to maintain Session State data and if the speed of data access is not very important for you, you can use the Out-of-Process state in the Session State module to store data. use.

Note: Windows State Service or Aspnet_state.exe must be running for In-Process status in the Session State module. By default, the mentioned service is installed and configured for manual start by installing Windows Server 2008. It is recommended to change the Start status from Manual to Automatic in Windows State Session.

How to activate the In-Process state in the Session State module for a web server:

You can activate the In-Process state in the Session State module through the user interface (UI), running Appcmd.exe commands in the Windows Command-Line environment, directly editing configuration files, or by writing WMI scripts, as described below. We will discuss the first two of them. For information on how to edit the web.config file or write WMI scripts to set the session state in this article, refer to the Microsoft website.

  • Activating the In-Process state in the session state module through the user interface (UI):
  1. Open IIS Manager and click on the level you want to manage.

2. In the Features View, double-click Session State.

3. On the Session State page, click In-Process in the Session State Mode Setting section.

4. (Optional) Cookie settings can be made in the Cookie Settings section of the Session State page.

5. (Optional) Select the Identity for Impersonation Use Hosting option in Figure 4 to use Windows authentication and host process identity.

6. Click Apply in the Actions window.

  • Activating the In-Process state in the session state module in the Windows Command-Line environment:

To activate the In-Process state in the Session State module, enter the following text in the Windows Command-Line environment and press Enter:

[pre]

appcmd set config/commit-WEBROOT /section:SessionState /mode:InProc

[/pre]

The mode:InProc variable actually activates the in-Process state in the Session State module. Of course, the in-process state in the Session State module is enabled by default.

Configuring Session Time-Out:

When session state is enabled for your application, the user will receive a unique session ID by your ASP application for the first request they send to the web page. By default, the session expires when the user does not send a request or refresh for a page in the ASP application within 20 minutes. Because Session Objects are allocated memory on the web server, you may want to reduce the time-out value to save resources.

Note: Be careful when you set the session time-out value, because the information stored in a user session object will be lost due to the occurrence of time-out.

Session time-out configuration using the user interface:

  1. Open the IIS Manager program and select the level you want to manage.
  2. In the Features View section, double-click ASP.

3. On the ASP page under the Services section, click the plus sign next to session Properties.

4. In the Time-out field, enter the value in hh:mm:ss format. Of course, its default value is 20 minutes.

5. In the Actions window, click Apply (according to Figure 5).

Using the Appcmd.exe command in the Command-Line environment to configure the session time-out:

To specify the default time interval that a Session Object is retained after the last request, use the following command in the Command-Line environment.

[pre]

Appcmd set config /section:asp /timeout: timeSpan

[/pre]

The timeSpan variable in the above command represents the maximum time interval that a session object is kept after the last request. The default value of the above variable is 00:20:00.

Disabling session state in IIS 7.5:

By default, IIS enables session state for ASP. By enabling session state, the web server creates a session object or a unique session ID and assigns it to each user who sends a web page request from an ASP application. The web server then uses that session ID to retain information about the user until the session expires or is abandoned by an ASP script.

Sessions can use up valuable resources of a web server. By disabling session state, you will be able to improve the performance of your ASP application. When you disable session state, ASP will not track users and will not allow ASP script to store information in session object or use Session_OnStart or Session_OnEnd events for more than one request or event.

Session state deactivation methods:

To disable session state, you can use the following methods:

  • Deactivation using the user interface
  • Deactivation by running Appcmd.exe commands in the Windows command-line environment.
  • Deactivation using direct editing of configuration files.
  • Disable by writing WMI scripts

In the following, we will examine the first two methods.

1- Deactivation using the user interface:

  1. Open the IIS Manager program and click on the level you want to manage.
  1. In the Features View section, double click on ASP.
  1. On the ASP page, under the Services section, click the plus sign in front of Session Properties.
  1. Set the value False in front of the Enable Session State field.
  1. In the Actions window, click Apply.

2- Disabling session state through the Appcmd.exe command in the Windows Command-Line environment:

To disable session state for an ASP application, use the following command in the Command-Line environment.

[pre]

Appcmd set config /section:asp /allowSessionState:False

[/pre]

The variable allowSessionState: False in the above command disables the session state. The default value of said variable is True.

Specifying a custom session state provider (Custom Session state Provider):

You can use a provider to handle the session state of your ASP.NET application on your web server. The supplier actually creates the necessary connection to the database where the session state information is stored. Below we will state two basic reasons for using a custom session state supplier:

  • Compared to SQL Server, storing session-state information in a data source such as a FoxPro database or an Oracle database.
  • You must manage session state information that uses a database schema. This database schema is different from the database schema used by vendors (which include the .NET Framework). For example, it is possible to define shopping cart data that is stored in an existing SQL Server database with a predefined plan for a site or company.

Specifying a custom session state provider:

To specify a custom session state provider, you can use the following methods:

  • Use the user interface
  • Running Appcmd.exe commands in the Windows Command-Line environment.
  • Direct editing of configuration files.
  • Writing WMI scripts.

Next, we will explain the first method.

Using the user interface to specify a custom session state provider:

  1. Open the IIS Manager program and click on the level you want to manage.
  1. In the Feature View section, double-click Session State.
  1. On the Session State page, click on Custom in the Session State Model Settings section.
  1. In the Actions window, click Apply.

Cookie state configuration for the Session State module:

One of the ways to track the session state for clients that are connected to the web server is to use cookies. You can configure the web server to use cookies, not to use cookies or to choose cookie behavior that depends on the browser used to communicate with the web server.

In the following, we will examine the following:

  • Session state configuration using Cookie Mode
  • Session state configuration using Device Profile Cookie Mode
  • Session state configuration using Auto-Detect Cookie Mode
  • Session state configuration using URI Cookie Mode

A session cookie relates the session information with the client information for a session (which is the duration of the user’s connection with a site). In fact, the cookie is exchanged with all requests between a client and a web server (in an HTTP header). Using cookies is more beneficial than other methods that do not use cookies because cookies do not require redirection. Additionally, they allow the user to bookmark web pages. In any case, cookies also have defects that are described below:

  • Some web browsers do not support cookies.
  • Users can disable cookies.

Configuration of Session State using Cookies Mode:

Using the user interface:

  1. Open the IIS Manager program and click on the level you want to manage.
  1. In the Features View section, double-click Session State.
  1. On the Session State page and in the Cookie Settings section, select the Use Cookies option for the Cookie Settings Mode.
  1. Type the cookie’s name under Name, or use the default cookie name, ASP.NET_SessionId.
  2. Type the time-out value under Timt-out field, or use the default time-out which is 20 minutes.
  3. In the Actions window, click Apply