Asp.Net State Management

ASP.NET State Management

State management is the process by which you maintain state and page information over multiple requests for the same or different pages. Pages are destroyed and re-created with each round trip to the server; therefore, page information will not exist beyond the life cycle of a single page.

ASP.NET provides multiple ways to maintain state between server round trips

Client Side State Management options:

Storing page information using client-side options doesn't use server resources.

• View state
• Control state
• Hidden fields
• Cookies
• Query strings

Server side state management options:

• Application state
• Session state
• Profile properties

View State

 The ViewState property provides a dictionary object for retaining values between multiple requests for the same page. This is the default method that the page uses to preserve page and control property values between round trips.

When the page is processed, the current state of the page and controls is hashed into a string and saved in the page as a hidden field.

Below code shows how viewstate adds data as a hidden form within a Web page’s HTML.

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzDxYCHgJpZAUGdGVzdElkZGQ3YjU2QEici7mzF6IA0sPhKHRhrQ==" />

Encrypting of the View State: You can enable view state encryption to make it more difficult for attackers and malicious users to directly read view state information.

To configure view state encryption for an application does the following:

<Configuration>
      <system.web>
              <pages viewStateEncryptionMode="Always"/>
       </system.web>
</configuration>

You can enable view state encryption for a specific page by setting the value in the page directive, as the following sample demonstrates:

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" ViewStateEncryptionMode="Always"%>

View State is enabled by default, but if you can disable it by setting the EnableViewState property for each web control to false. This reduces the server processing time and decreases page size.

Reading and Writing Custom View State Data: You can use view state to store your own page-specific values across round trips when the page posts back to itself. For example, if your application is maintaining user-specific information — that is, information that is used in the page but is not necessarily part of any control — you can store it in view state.

ViewState ["varname"] = “Value”;

Advantages of using view state are:

• No server resources are required the view state is contained in a structure within the page code.
• Simple implementation View state does not require any custom programming to use. It is on by default to maintain state data on controls.
• Enhanced security features The values in view state are hashed, compressed, and encoded for Unicode implementations, which provides more security than using hidden fields.

Disadvantages of using view state are:

• Performance considerations: Because the view state is stored in the page itself, storing large values can cause the page to slow down when users display it and when they post it. This is especially relevant for mobile devices, where bandwidth is often a limitation.
• Device limitations Mobile devices might not have the memory capacity to store a large amount of view-state data.
• Potential security risks The view state is stored in one or more hidden fields on the page. Although view state stores data in a hashed format, it can still be tampered with. The information in the hidden field can be seen if the page output source is viewed directly, creating a potential security issue.

Control State

If you create a custom control that requires ViewState, you can use the ControlState property to store state information for your control. ControlState allows you to persist property information that is specific to a control and cannot be turned off like the ViewState property.

Advantages of using control state are:

• No server resources are required By default, control state is stored in hidden fields on the page.
• Reliability Because control state cannot be turned off like view state, control state is a more reliable method for managing the state of controls.
• Versatility Custom adapters can be written to control how and where control-state data is stored.

Disadvantage of using control state are:

• Some programming is required While the ASP.NET page framework provides a foundation for control state, control state is a custom state-persistence mechanism. To fully utilize control state, you must write code to save and load control state.

Hidden Fields

ASP.NET allows you to create your own custom hidden fields and store values that are submitted with other form data. A HiddenField control stores a single variable in its Value property and must be explicitly added to the page.If you use hidden fields, you must submit your pages to the server using Hypertext Transfer Protocol (HTTP) POST (which happens if the user presses a button) rather than requesting the page using HTTP GET (which happens if the user clicks a link). Unlike view state data, hidden fields have no built-in compression, encryption, hashing, or chunking, so users can view or modify data stored in hidden fields

Advantages of using hidden fields are:

• No server resources are required The hidden field is stored and read from the page.
• Widespread support Almost all browsers and client devices support forms with hidden fields.
• Simple implementation

Disadvantages of using hidden fields are:

• Potential security risks The hidden field can be tampered with. The information in the hidden field can be seen if the page output source is viewed directly, creating a potential security issue. You can manually encrypt and decrypt the contents of a hidden field, but doing so requires extra coding and overhead.
• Simple storage architecture The hidden field does not support rich data types. Hidden fields offer a single string value field in which to place information. To store multiple values, you must implement delimited strings and the code to parse those strings. You can manually serialize and de-serialize rich data types to and from hidden fields, respectively.If you need to store rich data types on the client, consider using view state instead. View state has serialization built-in, and it stores data in hidden fields.
• Performance considerations Because hidden fields are stored in the page itself, storing large values can cause the page to slow down when users display it and when they post it.

Cookies

A cookie is a small amount of data that is stored either in a text file on the client file system or in-memory in the client browser session. It contains site-specific information that the server sends to the client along with page output. Cookies can be temporary (with specific expiration times and dates) or persistent.

You can use cookies to store information about a particular client, session, or application. The cookies are saved on the client device, and when the browser requests a page, the client sends the information in the cookie along with the request information. The server can read the cookie and extract its value. A typical use is to store a token (perhaps encrypted) indicating that the user has already been authenticated in your application.

Advantages of using cookies are:

• Configurable expiration rules The cookie can expire when the browser session ends, or it can exist indefinitely on the client computer, subject to the expiration rules on the client.
• No server resources are required The cookie is stored on the client and read by the server after a post.
• Simplicity The cookie is a lightweight, text-based structure with simple key-value pairs.
• Data persistence Although the durability of the cookie on a client computer is subject to cookie expiration processes on the client and user intervention, cookies are generally the most durable form of data persistence on the client

Disadvantages of using cookies are:

• Size limitations Most browsers place a 4096-byte limit on the size of a cookie, although support for 8192-byte cookies is becoming more common in newer browser and client-device versions.
• User-configured refusal Some users disable their browser or client device's ability to receive cookies, thereby limiting this functionality.
• Potential security risks Cookies are subject to tampering. Users can manipulate cookies on their computer, which can potentially cause a security risk or cause the application that is dependent on the cookie to fail. Also, although cookies are only accessible by the domain that sent them to the client, hackers have historically found ways to access cookies from other domains on a user's computer.

Query Strings

A query string is information that is appended to the end of a page URL. A typical query string might look like the following example:

http://www.xyzexampleaa.com/listwidgets1.aspx?category=basic&price=100

Query strings provide a simple but limited way to maintain state information. For example, they are an easy way to pass information from one page to another, such as passing a product number from one page to another page where it will be processed. However, some browsers and client devices impose a 2083-character limit on the length of the URL.

In order for query string values to be available during page processing, you must submit the page using an HTTP GET command. That is, you cannot take advantage of a query string if a page is processed in response to an HTTP POST command.

Advantages of using query strings are:

• No server resources are required The query string is contained in the HTTP request for a specific URL.
• Widespread support Almost all browsers and client devices support using query strings to pass values.
• Simple implementation ASP.NET provides full support for the query-string method, including methods of reading query strings using the Params property of the HttpRequest object.

Disadvantages of using query strings are:

• Potential security risks
• Limited capacity Some browsers and client devices impose a 2083-character limit on the length of URLs.

Application State

Application state is a global storage mechanism that is accessible from all pages in the Web application. Thus, application state is useful for storing information that needs to be maintained between server round trips and between requests for pages.

Advantages of using application state are:

• Simple implementation Application state is easy to use, familiar to ASP developers, and consistent with other .NET Framework classes.

• Application scope Because application state is accessible to all pages in an application, storing information in application state can mean keeping only a single copy of the information.

Disadvantages of using application state are:

• Application scope The scope of application state can also be a disadvantage. Variables stored in application state are global only to the particular process the application is running in, and each application process can have different values. Therefore, you cannot rely on application state to store unique values or update global counters in Web-garden and Web-farm server configurations.
• Limited durability: of data Because global data that is stored in application state is volatile, it will be lost if the Web server process containing it is destroyed, such as from a server crash, upgrade, or shutdown.
• Resource requirements:- Application state requires server memory, which can affect the performance of the server as well as the scalability of the application.

Session State

Session state is similar to application state, except that it is scoped to the current browser session. If different users are using your application, each user session will have a different session state. In addition, if a user leaves your application and then returns later, the second user session will have a different session state from the first

Advantages of using session state are:

• Simple implementation
• Session-specific events Session management events can be raised and used by your application.
• Data persistence Data placed in session-state variables can be preserved through Internet Information Services (IIS) restarts and worker-process restarts without losing session data because the data is stored in another process space. Additionally, session-state data can be persisted across multiple processes, such as in a Web farm or a Web garden.
• Cookieless support Session state works with browsers that do not support HTTP cookies, although session state is most commonly used with cookies to provide user identification facilities to a Web application. Using session state without cookies, however, requires that the session identifier be placed in the query string, which is subject to the security issues stated in the query string section of this topic.

Profile Properties

Profile Properties allows you to store user-specific data. This feature is similar to session state, except that the profile data is not lost when a user's session expires. The profile-properties feature uses an ASP.NET profile, which is stored in a persistent format and associated with an individual user.

To use profile properties, you must configure a profile provider. ASP.NET includes a SqlProfileProvider class that allows you to store profile data in a SQL database.