Pros and Cons of using ASP.NET Session State Server (instead of InProc)?

Question

Before I start using Session State server for the benefit of making session state more robust in my apps compared to InProc state, I\'d like to find a list of Pros and Cons

Answer 1

Disadvantages of Sessions in ASP.NET

• Every variable is stored as Object. That means you need to convert Object to certain type when read session variable.
  

• In addition to this, if session is empty, Object will be null. Before reading session variable, you need to check it for null. Even if variable is initialized before, it could be null because session is expired. An attempt to use null session value could return an exception. If value of session variable is null, common practice is to use some default value instead of meaningless null. If value is not null, you must convert it to appropriate type because all session variables are type of object. When do all this things, you should pay attention to avoid hard coding. More about reading and writing of session variables on scalable and maintainable way you can read in How To Write, Read and Delete Session State Variables tutorial.
  

• Variable name is type of string. If you hard code name of the variable, there is an option to make type mistake somewhere. The problem is, if you try to read session variable that doesn't exist, ASP.NET will not return any exception or warning. It will simply create new variable with wrong name which has null value. These types of errors could be hard to find.
  

• Session data should not be used for storing of sensitive data. There is a possibility that malicious user obtain regular visitor's session id. If session state is used to store information like: "allow access to administration area or not" or something like that, attacker could see website's sensitive data, other's private data, edit database, delete content etc.
  

• If InProc mode is used, sessions easily exhaust all server resources and thus decrease website performances.

StateServer

SQL Server is most reliable of all modes. Session data are intact if ASP.NET restarts, but also if SQL Server restarts.

SQL Server is also most scalable option.

SQL Server is often available in shared hosting scenario

Custom mode

You have complete control over sessions. It is possible to create even custom session id.

You can support different data sources. That could be useful to store session data on other database, like Oracle, MySQL, MS Access etc.

for any other details you can click here to view ASP.NET Session state advantages. hope my answer helped you.! :)