Export (0) Print
Expand All

SessionStateStoreProviderBase Class

Defines the required members of a session-state provider for a data store.

Namespace:  System.Web.SessionState
Assembly:  System.Web (in System.Web.dll)

[AspNetHostingPermissionAttribute(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
[AspNetHostingPermissionAttribute(SecurityAction.InheritanceDemand, Level = AspNetHostingPermissionLevel.Minimal)]
public abstract class SessionStateStoreProviderBase : ProviderBase

ASP.NET session state reads and writes session data from and to a data store using a session-state store provider. A session-state store provider is a class that inherits the SessionStateStoreProviderBase abstract class and overrides its members with implementations specific to the data store. The session-state store provider is called by the SessionStateModule class during the processing of an ASP.NET page to communicate with the data store for the storage and retrieval of session variables and related session information such as the time-out value.

Session data within each ASP.NET application is stored separately for each SessionID property. ASP.NET applications do not share session data.

You can specify a custom SessionStateStoreProviderBase implementation for an ASP.NET application by setting the mode attribute of the sessionState configuration element to Custom and the customProvider attribute to the name of the custom provider, as shown in the example for this topic.

Locking Session Store Data

Because ASP.NET applications are multithreaded to support responding to concurrent requests, it is possible that concurrent requests might attempt to access the same session information. Consider a scenario where multiple frames in a frameset all access the same application. The separate requests for each frame in the frameset can be executed on the Web server concurrently on different threads. If the ASP.NET pages for each frame source access session-state variables, then you could have multiple threads accessing the session store concurrently.

To avoid data collisions at the session store and unexpected session-state behavior, the SessionStateModule and SessionStateStoreProviderBase classes include lock functionality that exclusively locks the session store item for a particular session for the duration of the execution of an ASP.NET page. Note that even if the EnableSessionState attribute is marked as ReadOnly, other ASP.NET pages in the same application might be able to write to the session store, so a request for read-only session data from the store might still end up waiting for locked data to be freed.

A lock is set on session-store data at the beginning of the request, in the call to the GetItemExclusive method. When the request completes, the lock is released during the call to the SetAndReleaseItemExclusive method.

If the SessionStateModule object encounters locked session data during the call to either the GetItemExclusive or the GetItem method, it will re-request the session data at half-second intervals until either the lock is released or the amount of time that the session data has been locked exceeds the value of the ExecutionTimeout property. If the execution time out is exceeded, the SessionStateModule object will call the ReleaseItemExclusive method to free the session-store data and request the session-store data at that time.

Because locked session-store data might have been freed by a call to the ReleaseItemExclusive method on a separate thread before the call to the SetAndReleaseItemExclusive method for the current response, an attempt could be made to set and release session-state store data that has already been released and modified by another session. To avoid this situation, the GetItem and GetItemExclusive methods return a lock identifier. This lock identifier must be included with each request to modify locked session-store data. Session-store data is modified only if the lock identifier in the data store matches the lock identifier supplied by the SessionStateModule.

Deleting Expired Session Store Data

When the Abandon method is called for a particular session, the data for that session is deleted from the data store using the RemoveItem method; otherwise, the data will remain in the session data store to server future requests for the session. It is up to the SessionStateStoreProviderBase implementation to delete expired session data.

How to: Sample Session-State Store ProviderBuilding ASP .NET Web Applications
Implementing a Session-State Store ProviderBuilding ASP .NET Web Applications
How to: Sample Session-State Store ProviderBuilding ASP .NET Web Applications
Implementing a Session-State Store ProviderBuilding ASP .NET Web Applications

For an example of a session-state store provider implementation, see Implementing a Session-State Store Provider.

The following code example shows the Web.config file for an ASP.NET application that is configured to use a custom session-state store provider.

    <add name="OdbcSessionServices" connectionString="DSN=SessionState;" />

        <add name="OdbcSessionProvider"
             connectionStringName="OdbcSessionServices" />


Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0, 2.0

Community Additions

© 2014 Microsoft