Software developer can instruct ASP.NET to use a SQL database to store session information with option SqlServer: When software developer is going to use this mode, the objects he store in the session state must be serializable. Otherwise ASP.NET will not be able to store the object in the database.

C# 8.0 and .NET Core 3.0 – Modern Cross-Platform Development: Build applications with C#, .NET Core, Entity Framework Core, ASP.NET Core, and ML.NET using Visual Studio Code, 4th Edition
ASP.NET Core 3 and Angular 9: Full stack web development with .NET Core 3.1 and Angular 9, 3rd Edition
C# in Depth, 4th Edition


<?xml version=”1.0” encoding=”utf-8” ?>
     <!— other settings are omitted. —>
        cookieless=”AutoDetect” cookieName=”ASP.NET_SessionID”
        sqlConnectionString=”data source=;Integrated Security=SSPI”
        sqlCommandTimeout=”30” allowCustomSqlDatabase=”false”


SQL Server database is identified by the sqlConnectionString attribute. This is the slowest, but the most robust state store. To use this method, software developer will need to have an installed SQL Server. Software developer has to specify the data source (the server address) and a user ID and password, unless he’s using SQL integrated security.
In addition, software developer need to install the special stored procedures and temporary session databases. These stored procedures will take care of storing and restoring the session information. ASP.NET includes a Transact-SQL script called InstallSqlState.sql which is in C:\[WinDir]\Microsoft.Net\Framework\[Version] folder. The script can be executed only once using OSQL.exe or Query Analyzer.
By default the database is always named ASPState. As a result, the connection string in the web.config simply specifies the location of the server and type of the authentication that will be used:

sqlConnectionString=”data source=;Integrated Security=SSPI”

If software developer wants to use a different database he has to use the following:

allowCustomSqlDatabase=”true” sqlConnectionString=”data source=;Integrated Security=SSPI;Initial Catalog= CustDatabase”

With the option SqlServe, software developer can also set an option sqlCommandTimeout which specifies the maximum number of seconds to wait for the database to respond before canceling the request. The default value is 30 seconds.