The following is a chart that I often use in ASP.Net classes to compare State Management options.
|Where?||What?||Who can see||Life span||Issues||New in||Notes|
|User's browser or disk||strings||current user||current browser session or set expire date||limited data size (typically 4096 bytes), cookie limit (typically 20 per site)user can disable||ancient history!|
|Hidden HTML fields||browser||strings||current user||one page postback (one round trip)||limited to text and visible as Page Source text||ancient history!||Easy to hack!|
|Application||web server RAM (1)||objects||all sessions||until server is restarted||limited by RAM||Classic ASP|
|Session||web server RAM (1)||objects||current user||end of user's session (Session.Abandon or timeout [default 20 minutes])||limited by RAM||Classic ASP|
|ViewState||hidden INPUT in page||objects||current user||one page postback (one round trip)||bandwidth and slower page load <i>and</i> post times||ASP.Net 1.0||Can be disabled by the developer (per page, web.config or code)|
|ControlState||in ViewState||objects||current user||one page postback (one round trip)||Not as simple to use as ViewState||ASP.Net 2.0||Cannot be disabled by the developer using the control|
|Cache (2)||web server RAM||objects||all sessions||Until:|
- a dependency changes
- RAM is needed
|You must always check to see if the object still exists as cached items are both automatically deleted and are deleted when RAM runs low.||ASP.Net 1.0||Can be used as an Application object that can expire|
(1) State can be stored in local server RAM (InProc), another server's RAM (StateServer), SQL Server (SQLServer) or a custom destination. For any option other than InProc all objects must be serializable.
(2) Cache is not usually mentioned in lists of state options, but is nearly identical to Application with the addition of expiration.