State Management In Razor Pages

Managing state in Razor Pages is the process of retaining user or application-related data over the duration of a number of requests.

HTTP is a stateless protocol. Being stateless, there is no requirement placed on HTTP (Web) Servers to retain information about each request or user. By default, multiple requests from the same user are treated as a series of independent and isolated transactions. In fact, the server has no concept of a "user" as such. If you want to retain user or application-related data over a number of requests, you have to implement strategies for managing that yourself.

Razor Pages, along with its underlying MVC framework provides a number of mechanisms for retaining information (or state) across requests, each with its benefits and drawbacks:

Hidden Form Fields

A hidden form field is a form field that is not visible to the user. However, its value is included in the collection passed back to the server when the form is submitted. You use the input type="hidden" HTML element or input taghelper to add a hidden field to a form, or you can use the Html.Hidden() or Html.HiddenFor() helper methods.

Hidden field values are typically set from client-side or server-side code. While a hidden field is not visible to the user, that does not make it secure. Values are stored and transmitted in plain text and are accessible in the HTTP request as well as the HTML source that your browser makes available to you. You should not use hidden fields to store sensitive data. Since they form part of the DOM, hidden fields are not tamper-proof, and their values should really be validated just like any other user input. As with any form field, if the POST method is used, there is no limit to the number of characters that can be stored in a hidden field.

You can read more about using forms in Razor Pages here.

Query Strings

A query string is a collection of name/value pairs which are appended to a URL. They are separated from the location of the resource by a question mark ?. An example might look like this:

Each name/value pair is separated from the others by the & sign. The values are obtained from the Query property of the HttpRequest object, which is exposed in a Razor page via the Request property. For example, Request.Query["name1"] will yield value1.

Values are passed from one page to another as query string values automatically if you have a form that uses the GET method. The Razor Pages framework will pass values as query strings if you add route values that aren't included in the template for the route.

The following route template defines a route parameter named name1 in a page called Query.cshtml:

@page "{name1}"
@model QueryModel

In the next snippet, the user is redirected to to the Query page with two route values provided:

public IActionResult OnGet()
    return RedirectToPage("Query", new { name1 = "value1", name2 = "value2" });

The resulting URL shows how name2 and its associated value is appended as a query string name/value pair, while the route value that's catered for in the template is passed as a segment: http://localhost:xxx/Query/value1?name2=value2

Like hidden fields, query strings should not be used for sensitive data and it is even easier for a user to manipulate query string values so input validation is really important. Just because you generated the query string from your code, that doesn't mean that a malicious user can't generate their own or alter yours in their browser address bar. Unvalidated query string values are the primary route to attacks on web sites. Most browsers limit query strings to around 2000 characters so they are not suitable for managing large amounts of data. However, search engines can follow links with query string values and index their location.

Route Data

Route Data is also passed from one page to another via the URL. You can read more about route data here


Cookies are small pieces of text that are passed between browser and web server with every request and are commonly used to store relatively small amounts of data. Read about how to use cookies in a Razor Pages application.


TempData is a container for short-life data that is only intended to be used or read once. More details on how TempData works in Razor Pages can be found here

Session Variables

Session State provides a mechanism that enables you to tie together requests from the same user for a limited period - the duration of a session. As such, you can store user-related values and retrieve them at any stage during a session. Full details on using Sessions within Razor Pages can be found here

Application Variables

Previous versions of ASP.NET provided APIs for storing and retrieving values globally, which revolved around usage of a dictionary-like structure represented by the System.Web.HttpApplicationState object. ASP.NET Core doesn't offer anything equivalent to this. Instead, you are encouraged to implement your own solutions for managing data globally.


Caching is primarily used to improve performance in applications, but can also be used in web applications as a state management strategy. An overview of caching in Razor Pages is available here

Last updated: 26/06/2023 08:09:36

© 2018 - 2024 - Mike Brind.
All rights reserved.
Contact me at