The System.Web.SessionState namespace provides the types used for session state management, which stores information that is specific to one session or client. Each user accessing an ASP.NET application has a separate session state collection. Session state is ideal for sensitive data (like credit card numbers and mailing addresses) because it is stored exclusively on the server. It is also well suited for complex data (like recordsets, .NET class instances, or COM objects) that cannot be easily serialized to a client-side cookie.

To support session state, each active ASP.NET session is identified and tracked with a unique 120-bit session ID string. Session ID values are created and managed automatically by the ASP.NET framework by using an algorithm that guarantees uniqueness and randomness so that they can’t be regenerated by a malicious user. When a client requests an ASP.NET page, the appropriate ID is transmitted from the client by a cookie or a modified (“munged”) URL. ASP.NET worker processes then retrieve the serialized data from the state server as a binary stream, convert it into live objects, and place these objects into the HttpSessionState class’s key/value collection. This class is the core of the System.Web.SessionState namespace. Most other classes in this namespace are used transparently by the ASP.NET framework, except the IReadOnlySessionState and IRequiresSessionState interfaces, which allow custom System.Web.IHttpHandler ...