32

I expect that if controller has attribute SessionStateBehavior.ReadOnly then I can't change session variables inside this controller but I can change values.

I try this code

 [SessionState(System.Web.SessionState.SessionStateBehavior.ReadOnly)]
    public class GLobalController : Controller
    {
      public  ActionResult Index()
        {
            Session["xxx"] = DateTime.Now.ToString();
            return View();
        }
Himanshu Jansari
  • 28,446
  • 26
  • 101
  • 128
user1223234
  • 323
  • 1
  • 3
  • 5
  • 1
    Take a look at [this question](http://stackoverflow.com/questions/8939188/writing-to-a-read-only-session-in-mvc-3). If I'm understanding your question correctly, the Q/A at that link explains it well. – Alex Schimp Sep 05 '12 at 01:17
  • lets check for AJAX request http://johnculviner.com/asp-net-concurrent-ajax-requests-and-session-state-blocking/ – MSTdev Oct 12 '16 at 11:48

3 Answers3

31

see Writing to a read only session in MVC 3+

That post claims the behavior is inconsistent. I am definitely able to write to Session in Controllers using ReadOnly.

I Would treat it like this:

  • Required means you are requesting a exclusive lock on Session (i.e. no parallel processing of requests for the same sessionID)
  • ReadOnly means you are requesting a non-exclusive lock on Session (i.e. your request still has to wait for requests with an exclusive lock to finish, but you can process requests with non-exclusive locks in parallel. However it is up to you to ensure that your code doesn't write to Session. It's not necessarily enforced by the framework)

    I realize this is counter to http://msdn.microsoft.com/en-us/library/system.web.sessionstate.sessionstatebehavior.aspx

    Read-only session state is enabled for the request. This means that session state cannot be updated.

    but it seems you in fact can update session state under some scenarios.

    • Community
    • 1
    • 1
    turnhose
    • 458
    • 5
    • 7
    • after implement this to my mvc5 application throw me this error "https://stackoverflow.com/questions/14249269/asp-net-application-throws-system-nullreferenceexception-from-session-remove-imp/49439136" i cant able to replicate can you please help me? – jayrag pareek May 28 '21 at 04:56
    12

    According to Patrick Y. Ng (Software Engineer at Microsoft) who designed and developed the Session State engine of ASP.NET:

    Even though EnableSessionState is marked as ReadOnly, in InProc state the user can still modify the session. The only difference is that the session will not be locked during the request. This limitation is by-design. And I'm sorry that it’s not documented in MSDN.

    There is much more useful information about session state in this post. It is really worth reading.

    piter entity
    • 346
    • 2
    • 11
    0

    This is just my interpretation:

    I see that you can add to Session during the action method - after all Session is just a dictionary really. However the session is not saved at the end.

    It does seem like it ought to throw an exception, but perhaps since this feature came later to the framework they decided against checking every time.

    Results may vary also depending upon what session state storage you are using (inproc / sql server).

    Simon_Weaver
    • 120,240
    • 73
    • 577
    • 618