ASP.NET State Management Comparison

The following is a chart that I often use in ASP.Net classes to compare State Management options.

	Where?	What?	Who can see	Life span	Issues	New in	Notes
Cookies Request.Cookies Response.Cookies	User's browser or disk	strings	current user	current browser session or set expire date	limited data size (typically 4096 bytes), cookie limit (typically 20 per site)user can disable	ancient history!
Hidden HTML fields	browser	strings	current user	one page postback (one round trip)	limited to text and visible as Page Source text	ancient history!	Easy to hack!
Application	web server RAM (1)	objects	all sessions	until server is restarted	limited by RAM	Classic ASP
Session	web server RAM (1)	objects	current user	end of user's session (Session.Abandon or timeout [default 20 minutes])	limited by RAM	Classic ASP
ViewState	hidden INPUT in page	objects	current user	one page postback (one round trip)	bandwidth and slower page load <i>and</i> post times	ASP.Net 1.0	Can be disabled by the developer (per page, web.config or code)
ControlState	in ViewState	objects	current user	one page postback (one round trip)	Not as simple to use as ViewState	ASP.Net 2.0	Cannot be disabled by the developer using the control
Cache (2)	web server RAM	objects	all sessions	Until: - Expires - a dependency changes - RAM is needed	You must always check to see if the object still exists as cached items are both automatically deleted and are deleted when RAM runs low.	ASP.Net 1.0	Can be used as an Application object that can expire

 

(1) State can be stored in local server RAM (InProc), another server's RAM (StateServer), SQL Server (SQLServer) or a custom destination. For any option other than InProc all objects must be serializable.

(2) Cache is not usually mentioned in lists of state options, but is nearly identical to Application with the addition of expiration.