Session ID Managed as a Cookie

This section provides a tutorial example on how IIS server manages the session ID as a cookie.

I received an interesting question not long ago on ASP session and cookie. The question was "If the user's browser doesn't support cookie or has it turned off, will the ASP's session work properly?".

My answer was no. In this section, I will show you why. In the next section I provide you suggestions on how to manage your own sessions without cookies.

As you can see from previous chapters, the IIS server maintains ASP session with sessions IDs sending to user's browser as cookies. If the browser doesn't support cookies, or has cookie support turned off, it will not send back the sessions IDs as cookies. If the server doesn't receive any session ID, it will treat each browser request as a new session, even if it is a subsequent request from the same user.

To show you how ASP session is related to browser's cookie support, I wrote the following simple number game page:

<script language="vbscript" runat="server">
'  game.asp
'  Copyright (c) 2004 by Dr. Herong Yang
'  This ASP page offers a simple game, relying on the session object
'  to remember the target number.
'
   number = session("number")
   response.write("<html><body>")
   if len(number) = 0 then
      Randomize()
      number = Int(100*Rnd())
      session("number") = number
      response.write("Welcome to the Game Server!<br/>")
      response.write("I have a number between 0 and 100" & _
         " for you to guess.<br/>")
   else
      guess = request.QueryString("guess")
      if Cint(guess) = Cint(number) then
         Randomize()
         number = Int(100*Rnd())
         session("number") = number
         response.write("Congratulations, you win!<br/>")
         response.write("I have another number between 0 and 100" & _
            " for you to guess.<br/>")
      elseif Cint(guess) > Cint(number) then
         response.write("Your guess is too high. Please make" & _
            " another quess.<br/>")
      elseif Cint(guess) < Cint(number) then
         response.write("Your guess is too low. Please make" & _
            " another quess.<br/>")
      end if
   end if
   response.write("<form action=game.asp method=get>")
   response.write("Your guess:")
   response.write("<input type=text size=4 name=guess>")
   response.write("<input type=submit name=submit value=Submit>" & _
      "</br>")
   response.write("</form>")
   response.write("Your session ID is " & session.SessionID & _
      "<br/>")
   response.write("</body></html>")
</script>

Now put this page on the IIS of your local system. If you run IE (Internet Explorer) browser with the default options, you should be able run this game with no problem. You should get only one session ID during your entire game session, no matter how many time you click the submit button and trigger the browser to send requests to the server.

In order to see how my game ASP will behave if the cookie support in IE is turned off, I need to open IE, select the "Tools" menu, then select the "Internet Options" command to get "Internet Options" dialog box. On the option dialog box, you need to select the "Privacy" tab, and move the privacy setting to the "Medium" level. Then you need to click the "Edit" button in the override section. On the override dialog box, you need to enter "127.0.0.1" in the "Address of Web site" field, and click "Block". Finally, you need to click the "OK" button to close both dialog boxes.

Now run IE with "http://127.0.0.1/game.asp" to access my game ASP page, you will get the welcome message. This is correct, since you are accessing the page for the first time, the ASP server assigns you a new session. But if you enter a guess number and click the "Submit" button, you will get the welcome message again, with a new session ID. If you keep entering guess numbers, you will always get the welcome message, and different session IDs. Why? Because IE is not sending sessions IDs back to the server any more. So the server will create a new session each time, and my game page will initiate a number and display the welcome message each time.

Note that:

Last update: 2004.

Table of Contents

 About This Book

 ASP (Active Server Pages) Introduction

 IIS (Internet Information Services) 5.0

 MS Script Debugger

 VBScript Language

 ASP Built-in Run-time Objects

 ASP Session

 Creating and Managing Cookies

Managing Sessions with and without Cookies

Session ID Managed as a Cookie

 Session Management Considerations

 Managing Sessions without Cookies

 scrrun.dll - Scripting Runtime DLL

 Managing Response Header Lines

 Calculation Speed and Response Time

 ADO (ActiveX Data Object) DLL

 Working with MS Access Database

 Guest Book Application Example

 References

 PDF Printing Version