Maintaining state in ASP.NET: Know your options

Maintaining state is a problem that all Web developers face regardless of the platform. ASP.NET adds four options on top of the standard approaches on the Web. Tony Patton drills down on these options.

Developing robust solutions with ASP.NET requires a thorough understanding of the platform. An important part of most Web applications is maintaining data or state between pages. Here's a look at ASP.NET's four ways to maintain data.

The state of things

A quick review of state as it applies to a Web page helps with the concepts in this article. A good description is the current state of a page which includes the current value of all variables and controls on the page for the current user and session.

It is worth mentioning that the Web is inherently stateless since the HTTP protocol is stateless. The Web server treats every HTTP page request as an independent request. By default, everything on a page is lost when/if you go to another page.

Developers' skills are used to maintain the state of all or a portion of a Web page. In the past, cookies or the query string were often used to achieve this goal. A development platform like ASP.NET provides other ways to maintain state.

Different approaches to state

ASP.NET provides four ways to maintain state within a Web application. The following list provides an overview of each approach:

  • Application state: A data repository available to all classes in an ASP.NET application. The data is stored in memory on the computer. It is available to all users and sessions for the application.
  • Control state: This approach provides the ability to save the state of a specific control on a page; this is especially true for data controls like DataGrid and GridView, where control state is used to store behavioral data. The control state is used to provide paging and sorting functionality in the GridView control. It cannot be modified or directory accessed.
  • Session state: A data repository available on a user by user basis; that is, it stores data for individual users. By default, session state is enabled.
  • View state: This approach stores the state of all controls on a page. It is applicable to only that page, so every page maintains its own view state. It is enabled by default for all ASP.NET pages.

While control state does not provide programmatic access, you can work with the other states, as I explain below.

Application state

Utilizing application state within a site is as simple as using the Application keyword and assigning or accessing one of its values. The Application object — as well as the ViewState and Session objects used for view and session state — is a Dictionary object. With that said, entries are assigned index values as well as data values. The following C# snippet assigns a value to the Application state variable ApplicationName:

Application["ApplicationName"] = " Example";

Application state variables live within the application, so they are accessible to all users. Problems may arise when/if two users attempt to write data to the same Application entry. This may be avoided by locking the object when a data change is made. Also, Application state values are cleared during server reboot and do not carry over to other processors or servers in a cluster or farm environment.

Session state

A session begins when a user accesses a Web application. It ends when they leave the application or a certain amount of time has passed with no site activity. The Session state object can be used to maintain values during a user's session.

The values in the Session object are only applicable to a certain user and may not be accessed by other users. Like the Application object, the Session object is Dictionary, with values accessed according to their index values. The following VB.NET snippet stores a value in the Session variable called UserName:

Session("UserName") = "Tony Patton"

Session state may be enabled on a page by page basis with the EnableSessionState attribute of the Page directive. Also, it may be configured for a site via the web.config file. There are a variety of options available when using session state, such as signaling whether cookies are used, storing data in a database, and the length of the timeout.

View state

By default, all pages have view state enabled. The actual data is stored in a hidden field on the form — take a look at a page's source, and you'll quickly find the field hosting the data. The data is not encrypted, so it does present security risks; however, it is Base64 encoded, which doesn't make it easily read by the naked eye.

Like session state, view state may be disabled on the page level via the EnableViewState attribute of the page directive. Likewise, most individual controls have the same property available. It may be disabled for the entire site in the web.config file.

Like the other state objects, the Dictionary approach is used, as the following C# snippet demonstrates:

ViewState["CurrentCount"] = 2;

This entry is maintained for the life of the page; it is gone when the page is no longer loaded. The size of the hidden field used to maintain view state can become large, so disable it whenever it is not needed.

Choosing the right method

The interesting aspect of the many available ASP.NET features is when to use one over another. The choice often depends on the development team's preferences, but there are some guidelines for using one of the options for maintaining state.

If you're worried about bandwidth or server resources, you should remember that session and application states utilize server resources, and view state uses bandwidth to carry that hidden field at all times. With security, the biggest hole is view state; it is available by viewing the page source. All of the states are accessible via your favorite language, but you should keep scope in mind with each approach and choose the one that best fits the situation.

Also, don't forget the older methods of cookies and the query string — they are still viable in certain situations.

Which method do you use?

What method do you prefer? What base functionality of ASP.NET do you feel developers often overlook? Share your thoughts with the Web Developer community by posting to the discussion.

Tony Patton began his professional career as an application developer earning Java, VB, Lotus, and XML certifications to bolster his knowledge.


Get weekly development tips in your inbox Keep your developer skills sharp by signing up for TechRepublic's free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!

About Tony Patton

Tony Patton has worn many hats over his 15+ years in the IT industry while witnessing many technologies come and go. He currently focuses on .NET and Web Development while trying to grasp the many facets of supporting such technologies in a productio...

Editor's Picks

Free Newsletters, In your Inbox