CIS Logo SVC Logo

   Computing & Information Systems


Schoology Facebook        Search CIS Site      Tutorials

Maintaining Session State Information

The Goals for this Example

In many web applications we need to keep track of information about each particular user's session. This may be needed to keep track of each user's preferences. Also, if a web form collects user data that we want to use somehow in a second web page, then we need a way to get this session information to that second page. This does not happen automatically. Two typical methods that are used for this in VB .NET web apps include the use of cookies and HttpSessionState objects. We discuss the latter in this particular example.

As an example, we modify our previous web app so that the results of the database lookup are displayed on a separate page. To do this we take the maximum and minimum price information that we collect on the first page and make it available to the second page, which retrieves from the database the products that fit that price range.

Making the Modified Web App

What the App Should Do

  • Like the previous web app, this one will display auto parts data that fits the price range that the user inputs.
  • However, this time the results will be displayed on a new page.
  • The initial view of the application shows that the user begins with a page in which to enter the desired price range.
  • Once the "List Matches" button is clicked, the web app shows the selected auto parts data on a new page.
  • Thus the app works much the same as before, except that the results are not shown on the original page.

Copying the Previous Web App

  • Use My Computer to copy your previous web app to a folder names Session in a convenient locationi (such as your M drive).
  • Then open the new copy in Visual Studio 2005.

Adding another Web Form

  • We will use this new web form to display the results of the user's query for auto parts data.
  • In Solution Explorer, right click on the new project.
  • Select Add, New Item, Web Form.
  • In the dialog box, type in the name Results.aspx as the name of the new web form.
  • Change the title on Results.aspx to Vintage Used Auto Parts.
  • Also change the name of the Default.aspx form to Home.aspx.
  • Copy controls to the Results.aspx form until it looks like this screen shot. Note that the bottommost blue label has ID PartsLabel. Make sure that it is visible, as in the previous web app it was not. The GridView has ID PartsGridView, has Visible set to False, and has no data source specified. It is suggested that you use the GridView's smart tag, then Edit Columns to go in and remove the 4 bound fields. Then you need to set the GridView's AutoGenerateColumns property to True, as otherwise the GridView won't display anything. (The alternative is to leave the 4 bound columns in place and not use AutoGenerateColumns. We want to try out AutoGenerateColumns here.) The 2 red error labels have IDs NoDataLabel and DatabaseErrorLabel, are not visible, and have text fields of "No matching data was found" and "Error in accessing database".
  • Once you have copied PartsLabel, PartsGridView, DatabaseErrorLabel, and NoDataLabel to the new form, you should delete them from Home.aspx, as we no longer need them there.
  • Do File, Save All.

Enabling Session Tracking

  • Actually, session tracking is enabled by default. You just need to know how to use it.
  • Click on the topmost pull-down in Properties for the Results.aspx web form. Select Document so that we see the properties for the overall web form.
  • Then, in Properties look for EnableSessionState. Make sure that this is set to True.
  • Check the Home.aspx web form in the same way.
  • In web applications that do not require the tracking of session information, it is advisable to set EnableSessionState to false. This reduces the amount of overhead. Thus, in our previous web examples we really should have turned off EnableSessionState.
  • With EnableSessionState turned on, information from a web form that you add to an HttpSessionState object is sent to the server and stored there, where it can be used by your code for another web form. Note that every user's browser session gets its own session state. Session state information expires after 20 minutes of activity by default, though the timeout interval can be adjusted. (Note that cookies use the opposite approach, saving the information at the client PC, with 2 flavors of cookies, those that store the information on disk and those that just save their information temporarily in RAM.)
  • Security note: Since each user's session information is stored on the server, you should worry a little about what happens if too many users are active at the same time. Could someone use this as a denial of service attack on your web site, for example?
  • There is also a property called EnableViewState. Although the details of this are beyond what we want to discuss here, it has to do with saving certain information about what you see in a control so that this information is still present if the page posts back to itself. If a page does not post back to itself, it should be possible to turn EnableViewState off in any control that uses it and thus reduce the amount of overhead. EnableViewState saves the information (as a hashed string) in a hidden field of the web page. You can find this hidden field on the web apps that we have produced thus far in our sequence of examples, as we never turned EnableViewState off. Just look at the page in a browser and use View, Source.
  • Leave EnableViewState set at True in the controls in the current web application.
  • For more information, look up EnableViewState and EnableSessionState under Help, Search. Also search for the specific articles "ASP.NET Session State Overview", "Introduction to Web Forms State Management", and "State Management Recommendations".

The Code for Home.aspx.vb

  • In Solution Explorer double click on Home.aspx.vb, the "code-behind" file for your web form, to bring it up in the editor. This is where we add the code for your web page.
  • Once again we will not add a click handler for the button on your form. Instead, we will use the fact that a postback happens whenever the user click on this button.
  • Thus, we just write code to handle the postback in the Page_Load procedure.
  • Make your Page_Load procedure match the following:

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        Dim Min, Max As String

        If IsPostBack Then
            If Page.IsValid Then
                Min = MinTextBox.Text.ToString()
                Max = MaxTextBox.Text.ToString()
                Session.Add("MinKey", Min)
                Session.Add("MaxKey", Max)
            End If
        End If
    End Sub

  • Notice that none of the above code deals with getting data from the database. That will be handled in the code-behind file for the Results.aspx form.
  • If a postback has occurred and the user input validates as reasonable, the above code gets the minimum and maximum values from the text boxes.
  • Then we use Session.Add to add a pair of items to the HttpSessionState object. The pair consists of the key "MinKey" and the minimum value just retrieved from the appropriate text box.
  • In a similar way we add another pair of items to this object. This pair has key "MaxKey" and value Max, the maximum number taken from the other text box.
  • These key/value pairs will be available for our use in the code for our Results.aspx web form. This is what we mean by session state information. Note that this information (the minimum and maximum prices defining the user's desired price range) are associated with a particular user's web session. Another user may be using the same web app at the same time with different session state information (that is, a different price range). In fact, the same user could be using this web app in a different browser session, also with its own price range.

The Code for Results.aspx.vb

  • In Solution Explorer double click on Results.aspx.vb, to get it into the editor.
  • The Page_Load procedure for Results.aspx.vb is where we get the desired data from the database and display it.
  • Make your Page_Load procedure match the following:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    Dim Min, Max As String
    Dim myDatabaseConnection As SqlClient.SqlConnection = Nothing
    Dim myCommand As SqlClient.SqlCommand = Nothing
    Dim myReader As SqlClient.SqlDataReader = Nothing

    NoDataLabel.Visible = False

    If Session.Count = 0 Then   ' No session items were supplied.
        NoDataLabel.Visible = True
        Min = Session("MinKey")
        Max = Session("MaxKey")
            Dim connectionString As String = _
            myDatabaseConnection = New SqlClient.SqlConnection(connectionString)
            myCommand = New SqlClient.SqlCommand()

            'Set up to use a stored procedure:
            myCommand.CommandType = CommandType.StoredProcedure
            myCommand.Connection = myDatabaseConnection
            myCommand.CommandText = "SelectByRange"
            myCommand.Parameters.AddWithValue("@Min", Min)
            myCommand.Parameters.AddWithValue("@Max", Max)

            'Use an SqlDataReader to execute the stored procedure and
            'get the results into the GridView:
            myReader = myCommand.ExecuteReader()
            If myReader.HasRows Then
                PartsGridView.Visible = True
                PartsGridView.DataSource = myReader
                NoDataLabel.Visible = True
            End If
        Catch exception As System.Data.SqlClient.SqlException
            DatabaseErrorLabel.Visible = True
        Catch exception As Exception
            DatabaseErrorLabel.Visible = True
        Finally    'Do cleanup tasks here:
            myCommand = Nothing

            If Not myReader Is Nothing AndAlso _
                Not myReader.IsClosed Then
            End If

            myReader = Nothing

            If Not myDatabaseConnection Is Nothing AndAlso _
                myDatabaseConnection.State = ConnectionState.Open Then
            End If

            myDatabaseConnection = Nothing
        End Try
    End If
End Sub

  • Note that the code is very similar to what was used in the previous web app. Review the explanation under that link if need be.
  • One thing that we have added here is some extra checking.
  • First, if Session.Count is 0, that means that we have no session state information and cannot do a database query with our stored procedure or display any results. This should not happen, but just in case, we can check for this. In such a case, we make the label visible that says that there was no matching data.
  • It is very easy to look up session information when it is present. All you need is the key in order to find the value associated with the key. For example, Min = Session("MinKey") retrieves the value that was associated with "MinKey" on the Home.aspx web form.
  • The code to execute the stored procedure is really the same as before, so we will not analyze it here.
  • However, we do check myReader.HasRows to see if any data was returned by the stored procedure. If so, we display the data in the GridView. Otherwise, the database query found no matches and we make the label visible that says this.

Testing and Debugging The App

  • Save all of your files in Visual Studio.
  • Then build your application.
  • Fix any problems until you get the build to succeed.
  • Use Debug, Start Without Debugging to run your web app locally.
  • Fix any problems that you see.
  • Then publish your app to the live web server, get the web server admin to make it an official IIS web app, and point your browser to the URL for this published app.
  • Make sure that the app works on the live web server, as sometimes an app will work locally, but not on the real web server.
  • Fill in reasonable minimum and maximum values (such as 5 and 50) and click on the List Matches button to see what you get.

Back to the main page for ASP .NET Web Apps

Author: Br. David Carlson
Last updated: October 21, 2008