I received an interesting question not long ago on ASP session and cookie. The question was that "If the user's browser doesn't support cookie or has it turned off, will the ASP's session work properly?".
My answer was no. In this chapter, I will show you why, and provide you suggestions on how to manage your own sessions without cookies.
ASP Session State and Cookies
As you can see from the "ASP Sessions" chapter, the IIS server maintains ASP session with sessions IDs sending to user's browser as cookies. If the browser doesn't support cookies, or has cookie support turned off, it will not send back the sessions IDs as cookies. If the server doesn't receive any session ID, it will treat each browser request as a new session, event if it is a subsequent request from the same user.
To show you how ASP session is related to browser's cookie support, I wrote the following simple number game page:
<script language="vbscript" runat="server">
' game.asp
' Copyright (c) 2004 by Dr. Herong Yang
' This ASP page offers a simple game, relying on the session object
' to remember the target number.
'
number = session("number")
response.write("<html><body>")
if len(number) = 0 then
Randomize()
number = Int(100*Rnd())
session("number") = number
response.write("Welcome to the Game Server!<br/>")
response.write("I have a number between 0 and 100" & _
" for you to guess.<br/>")
else
guess = request.QueryString("guess")
if Cint(guess) = Cint(number) then
Randomize()
number = Int(100*Rnd())
session("number") = number
response.write("Congratulations, you win!<br/>")
response.write("I have another number between 0 and 100" & _
" for you to guess.<br/>")
elseif Cint(guess) > Cint(number) then
response.write("Your guess is too high. Please make" & _
" another quess.<br/>")
elseif Cint(guess) < Cint(number) then
response.write("Your guess is too low. Please make" & _
" another quess.<br/>")
end if
end if
response.write("<form action=game.asp method=get>")
response.write("Your guess:")
response.write("<input type=text size=4 name=guess>")
response.write("<input type=submit name=submit value=Submit>" & _
"</br>")
response.write("</form>")
response.write("Your session ID is " & session.SessionID & _
"<br/>")
response.write("</body></html>")
</script>
Now put this page on the IIS of your local system. If you run IE (Internet Explorer) browser with the default options, you should be able run this game with no problem. You should get only one session ID during your entire game session, no matter how many time you click the submit button and trigger the browser to send requests to the server.
In order to see how my game ASP will behave if the cookie support in IE is turned off, I need to open IE, select the "Tools" menu, then select the "Internet Options" command to get "Internet Options" dialog box. On the option dialog box, you need to select the "Privacy" tab, and move the privacy setting to the "Medium" level. Then you need to click the "Edit" button in the override section. On the override dialog box, you need to enter "127.0.0.1" in the "Address of Web site" field, and click "Block". Finally, you need to click the "OK" button to close both dialog boxes.
Now run IE with "http://127.0.0.1/game.asp" to access my game ASP page, you will get the welcome message. This is correct, since you are accessing the page for the first time, the ASP server assigns you a new session. But if you enter a guess number and click the "Submit" button, you will get the welcome message again, with a new session ID. If you keep entering guess numbers, you will always get the welcome message, and different session IDs. Why? Because IE is not sending sessions IDs back to the server any more. So the server will create a new session each time, and my game page will initiate a number and display the welcome message each time.
Note that:
- IIS ASP server is able to maintain the session state from one request to the next request, because it sends the session ID the browser as a cookie in each response, and the browser send the session ID back as a cookie in each request.
- Without cookies, IIS ASP server receives browser's requests without session IDs. It will initiate a new session object for each request, not be able to maintain the session state for you.
- I am asking to you block "127.0.0.1", not "localhost", because the blocking mechanism seems to be not working for host names without any domain names.
Managing Your Own Session State
As you can see from the previous section, IIS ASP server will not be able to manage session state for you without the cookie support from the browser. In this case you should consider designing your own session management system.
To design a session management system, we need to understand what are the basic requirements and options:
1. Session: An abstract representation of a sequence of pairs of HTTP requests and responses between a user and the ASP server. The sequence of requests and responses needs to be linked together to be able to share information. In my number game example, I need a session to share the same target number from request to request.
2. Session ID: A unique number used to identify each session. Session ID could be generated sequentially as 1, 2, 3, ..., n. But it could be a security concern, because one user could easily guess the ID of another session on the server, and fake a browser request with that ID to steal information of the other session. So session ID should be generated randomly, and encrypted.
3. Session ID Transfer: Once a session ID is generated, it needs to be transferred to the browser, and the browser should send session ID back in the next request. We already know that one way of transferring session ID is to use cookie, like IIS ASP server. Another way is to embedded the session ID in the URL of the next request. For example:
<a href="NextPage.asp?sessionId=nnnnnn">Next Page</a>
Another way is to embedded the session ID in a HTML form as a hidden value of the next page, so that when the use submits the page, the session ID will be included in the request as part of the user data. For example:
<input type=hidden name=sessionId value=nnnnnn>
4. Storing Session Information: As you know, the main purpose of introducing session is to store information to be shared from request to request. So we need to find a place to store session information. If you look at IIS ASP server, it offers you a session object with an open collection that allows you to store information. But that's how IIS manages sessions for you. We can not use them in our own session manamgement.
One way to store session information is to use the server file system. When information needs to be shared with the next request, write it to a file and label it with the current session ID. When handling the next request, you can read it back based the session ID.
Another way to store session information is to use the application object offered by IIS ASP server. The application object has an open collection, you can store any information in it and label it with the current session ID. When handling the next request, you can read it back based the session ID.
Of course you should also consider how to delete the stored information when a session is terminated. Otherwise, your storage size will grow and grow, while users are coming to your server.
You should also consider a mechanism to expire inactive sessions, because users may abandon their sessions any time in the middle of the request sequences.
To show you an example of manage your own sessions without cookie, I modified my number game to game_without_cookie.asp:
<script language="vbscript" runat="server">
' game_without_cookie.asp
' Copyright (c) 2004 by Dr. Herong Yang
' This ASP page offers a simple game, relying on the session object
' to remember the target number.
'
sessionId = request.QueryString("sessionId")
response.write("<html><body>")
if Len(sessionId) = 0 then
sessionId = Cint(application("lastSessionId")) + 1
application("lastSessionId") = sessionId
Randomize()
number = Int(100*Rnd())
application(sessionId&".number") = number
response.write("Welcome to the Game Server!<br/>")
response.write("I have a number between 0 and 100" & _
" for you to guess.<br/>")
else
guess = request.QueryString("guess")
number = application(sessionId&".number")
if Cint(guess) = Cint(number) then
Randomize()
number = Int(100*Rnd())
application(sessionId&".number") = number
response.write("Congratulations, you win!<br/>")
response.write("I have another number between 0 and 100" & _
" for you to guess.<br/>")
elseif Cint(guess) > Cint(number) then
response.write("Your guess is too high. Please make" & _
" another quess.<br/>")
elseif Cint(guess) < Cint(number) then
response.write("Your guess is too low. Please make" & _
" another quess.<br/>")
end if
end if
response.write("<form action=game_without_cookie.asp method=get>")
response.write("<input type=hidden name=""sessionId""" & _
" value="&SessionID&">")
response.write("Your guess:")
response.write("<input type=text size=4 name=guess>")
response.write("<input type=submit name=submit value=Submit>" & _
"</br>")
response.write("</form>")
response.write("ASP Server session ID is " & session.SessionID & _
"<br/>")
response.write("My session ID is " & sessionId & "<br/>")
response.write("</body></html>")
</script>
If you run this page, the game will continue to work even after turned off the cookie support of your browser.
Note that:
- My session IDs are generated sequentially. Not very secure.
- For each session, the ID is transferred a hidden input value of the HTML form that takes the user's input.
- The shared information, the target number, is stored in the IIS application object with the session ID as part of the key.
- There is no mechanism to detect the end of a session, or an inactive session. So do not use this example as a realy application. If you do, your server will slowly run out of memory as more and more users coming to your server.
discuss this topic to forum
