ASP.Net server-side session state store

If you are stuck with dated using .Net technologies and are not able to use stateless web applications the following details might be of use.

ASP.Net has many ways to store session data information, below are a few of them:

Application State

  • One per web application server
  • Used to hold static data (not preferred, use caching instead)
  • First initialized in Application_Start event (Global.asx)

Session State

  • One per session (session is established per client)
  • First initialized in Session_Start event (Global.asx)
  • Uses cookies to save session metadata (can be configured to be cookie-less)
  • Session data can also be stored in a database (ASP.Net state database)
  • ASP.Net pipeline can detect cookie/ load cookie data


  • Stores on the client-side as 64 bit encoded string (4096 byte limit)
  • Is not safe store, values stored in cookies can be accessed by a client
  • Cookies can be disabled by the client

Query String

  • Visible in Url (?[key1]=[value1]& …)
  • Values stored as key: value pairs
  • Values must be encoded in base64

Items State

  • Part of the HttpContext in ASP.Net Http page handlers
  • Stores per request data
  • Useful for server.transfer (and passing data downstream request)


  • Only retains data on post-back
  • Data is serialized and stored inline HTML
  • Not secure and slows requests

Cross-Page Posting

  • Only in ASP.Net 2.0 or greater
  • Context can reference the previous page that initiated postback.