LANGUAGES: VB .NET | C#
Session Variables and Validation Controls
Should you use Session Variables in sites with lots of users? How can you keep input numeric-only?
By Josef Finsel
Q: Is it a good idea to use Session Variables with ASP.NET and more than 1,000 users?
A: It depends on what you're storing in the session variables and how you define "more than 1,000 users." The problem you're really grappling with is the session-less nature of the Internet. Specifically, there are only two ways to get rid of session data: having it time out or deleting it. If you have a logoff page for your customers, you want to make sure you set the session variables to nothing to free up the memory. If you don't, the memory won't be freed until the user's session has timed out - by default, that's 20 minutes of inactivity.
Let's take a quick look at the implications this can have. Suppose you have 500 new users every minute and they hang around for five minutes or so before they leave. If you don't remove the sessions somehow (having them log off, for example), you're going to end up with memory being used for a lot more active sessions than really exist. Although you might think you'd have 2,500 active sessions (500 sessions x five minutes), you'd actually have 12,500! Why? Because the first 500 sessions don't drop off until 25 minutes into the timeframe (assuming all 500 stop using the service after five minutes). And if each session uses 2.5 kb of memory, you'll use 30 mb before half an hour is up - even though most of those sessions aren't in use.
So, using session variables for active sessions isn't a problem unless the active sessions aren't really active. This is one of those cases where you'll have to try it and see. If your site is big enough, you'll probably need to institute a Web farm, which will spread the session variables across multiple machines and lessen your worries.
Q: How can I prevent numbers from being entered into a textbox that is supposed to take alphabetic characters only?
A: You'll want to use Validation controls to do this. Steven Smith has an in-depth article on validation controls at http://www.aspnetpro.com/features/2002/07/asp200207vd_f/asp200207vd_f.asp, but we'll take a moment to look at the regular expression validator you'd need here.
The regular expression we will deal with takes this form: ^[a-zA-Z0-9 ]+$. The ^ (caret) symbol indicates the beginning of the match string, and the $ (dollar sign) represents the end of the string. Anything within the  (square brackets) is an allowable match. Using "a-z" is a shortcut that reads the set of characters "a" to "z," inclusive. Finally, the + (plus sign) after the  indicates that the expression may occur any number of times. Figure 1 shows this being used in a practical example (you can download the sample application in VB and C#).
<form id="RegExSample" method="post" runat="server">
ErrorMessage="Must be AlphaNumeric but not contain any spaces"
<asp:TextBox id="txtNumeric" runat="server">
ErrorMessage="Must be 0-9 only"
<asp:TextBox id="txtAlpha" runat="server">
ErrorMessage="Must be Alpha only, may contain spaces"
Figure 1. This form has textboxes with regular expression validators for alphanumeric text, numeric text, and alphanumeric text without spaces.
In this form, you have three textboxes labeled txtAlphaNumeric, txtNumeric, and txtAlpha; you also have a RegularExpressionValidator after each textbox. There are three properties of the RegularExpressionValidator that need to be filled in: ControlToValidate, ErrorMessage, and ValidationExpression. When the control in any of these textboxes loses focus, the validator compares the data in the textbox with the regular expression in the ValidationExpression property. For example, in the txtNumeric TextBox, you want it only to contain numeric data, so ValidationExpression is set to "^[0-9]+$" and the ErrorMessage property is set to "Must be Numeric only."
You can learn more about regular expressions at http://www.aspnetpro.com/features/2002/09/asp200209ss_f/assp200209ss_f.asp.
Have a question? Send it to [email protected].
The files referenced in this article are available for download.
Josef Finsel is a software consultant with G.A. Sullivan, specializing in .NET and SQL Server. He has published a number of VB, .NET, and SQL Server-related articles, and, when he isn't hanging around the aspnetPRO forums, you can find him working on the syntax for FizzBin.NET - a programming language that works the way programmers have always suspected. He's also author of The Handbook for Reluctant Database Administrators (Apress).