This section provides a tutorial example on how to manage sessions without using cookies - hide the session ID as a form input value.
To show you an example of managing your own sessions without cookie, I modified my number
game to game_without_cookie.asp:
<script language="vbscript" runat="server">
' game_without_cookie.asp
' Copyright (c) 2004 by Dr. Herong Yang
' This ASP page offers a simple game, relying on the session object
' to remember the target number.
'
sessionId = request.QueryString("sessionId")
response.write("<html><body>")
if Len(sessionId) = 0 then
sessionId = Cint(application("lastSessionId")) + 1
application("lastSessionId") = sessionId
Randomize()
number = Int(100*Rnd())
application(sessionId&".number") = number
response.write("Welcome to the Game Server!<br/>")
response.write("I have a number between 0 and 100" & _
" for you to guess.<br/>")
else
guess = request.QueryString("guess")
number = application(sessionId&".number")
if Cint(guess) = Cint(number) then
Randomize()
number = Int(100*Rnd())
application(sessionId&".number") = number
response.write("Congratulations, you win!<br/>")
response.write("I have another number between 0 and 100" & _
" for you to guess.<br/>")
elseif Cint(guess) > Cint(number) then
response.write("Your guess is too high. Please make" & _
" another quess.<br/>")
elseif Cint(guess) < Cint(number) then
response.write("Your guess is too low. Please make" & _
" another quess.<br/>")
end if
end if
response.write("<form action=game_without_cookie.asp method=get>")
response.write("<input type=hidden name=""sessionId""" & _
" value="&SessionID&">")
response.write("Your guess:")
response.write("<input type=text size=4 name=guess>")
response.write("<input type=submit name=submit value=Submit>" & _
"</br>")
response.write("</form>")
response.write("ASP Server session ID is " & session.SessionID & _
"<br/>")
response.write("My session ID is " & sessionId & "<br/>")
response.write("</body></html>")
</script>
If you run this page, the game will continue to work even after turned off the cookie support
of your browser.
Note that:
My session IDs are generated sequentially. Not very secure.
For each session, the ID is transferred a hidden input value of the HTML form that takes
the user's input.
The shared information, the target number, is stored in the IIS application object
with the session ID as part of the key.
There is no mechanism to detect the end of a session, or an inactive session. So do not
use this example as a real application. If you do, your server will slowly run out of memory
as more and more users coming to your server.
