This section provides basic guidelines on how to manage sessions.
As you can see from the previous section, IIS ASP server will not be able to manage session
state for you without the cookie support from the browser. In this case you should
consider designing your own session management system.
To design a session management system, we need to understand what are the basic requirements
and options:
1. Session: An abstract representation of a sequence of pairs of HTTP requests and
responses between a user and the ASP server. The sequence of requests and responses
needs to be linked together to be able to share information. In my number game example,
I need a session to share the same target number from request to request.
2. Session ID: A unique number used to identify each session. Session ID could be generated
sequentially as 1, 2, 3, ..., n. But it could be a security concern, because one user could
easily guess the ID of another session on the server, and fake a browser request with that
ID to steal information of another session. So session ID should be generated randomly,
and encrypted.
3. Session ID Transfer: Once a session ID is generated, it needs to be transferred
to the browser, and the browser should send session ID back in the next request.
We already know that one way of transferring session ID is to use cookie, like
IIS ASP server. Another way is to embedded the session ID in the URL of the next request.
For example:
Another way is to embedded the session ID in a HTML form as a hidden value of the next page,
so that when the use submits the page, the session ID will be included in the request as
part of the user data. For example:
<input type=hidden name=sessionId value=nnnnnn>
4. Storing Session Information: As you know, the main purpose of introducing session is to store
information to be shared from request to request. So we need to find a place to store session
information. If you look at IIS ASP server, it offers you a session object with an open
collection that allows you to store information. But that's how IIS manages sessions for you.
We can not use them in our own session management.
One way to store session information is to use the server file system. When information needs
to be shared with the next request, write it to a file and label it with the current session ID.
When handling the next request, you can read it back based the session ID.
Another way to store session information is to use the application object offered by IIS ASP
server. The application object has an open collection, you can store any information in it and
label it with the current session ID.
When handling the next request, you can read it back based the session ID.
Of course you should also consider how to delete the stored information when a session is
terminated. Otherwise, your storage size will grow and grow, while users are coming to your
server.
You should also consider a mechanism to expire inactive sessions, because users may abandon
their sessions any time in the middle of the request sequences.
