Session Management Considerations

This section provides basic guidelines on how to manage sessions.

As you can see from the previous section, IIS ASP server will not be able to manage session state for you without the cookie support from the browser. In this case you should consider designing your own session management system.

To design a session management system, we need to understand what are the basic requirements and options:

1. Session: An abstract representation of a sequence of pairs of HTTP requests and responses between a user and the ASP server. The sequence of requests and responses needs to be linked together to be able to share information. In my number game example, I need a session to share the same target number from request to request.

2. Session ID: A unique number used to identify each session. Session ID could be generated sequentially as 1, 2, 3, ..., n. But it could be a security concern, because one user could easily guess the ID of another session on the server, and fake a browser request with that ID to steal information of another session. So session ID should be generated randomly, and encrypted.

3. Session ID Transfer: Once a session ID is generated, it needs to be transferred to the browser, and the browser should send session ID back in the next request. We already know that one way of transferring session ID is to use cookie, like IIS ASP server. Another way is to embedded the session ID in the URL of the next request. For example:

<a href="NextPage.asp?sessionId=nnnnnn">Next Page</a>

Another way is to embedded the session ID in a HTML form as a hidden value of the next page, so that when the use submits the page, the session ID will be included in the request as part of the user data. For example:

<input type=hidden name=sessionId value=nnnnnn>

4. Storing Session Information: As you know, the main purpose of introducing session is to store information to be shared from request to request. So we need to find a place to store session information. If you look at IIS ASP server, it offers you a session object with an open collection that allows you to store information. But that's how IIS manages sessions for you. We can not use them in our own session management.

One way to store session information is to use the server file system. When information needs to be shared with the next request, write it to a file and label it with the current session ID. When handling the next request, you can read it back based the session ID.

Another way to store session information is to use the application object offered by IIS ASP server. The application object has an open collection, you can store any information in it and label it with the current session ID. When handling the next request, you can read it back based the session ID.

Of course you should also consider how to delete the stored information when a session is terminated. Otherwise, your storage size will grow and grow, while users are coming to your server.

You should also consider a mechanism to expire inactive sessions, because users may abandon their sessions any time in the middle of the request sequences.

Last update: 2004.

Table of Contents

 About This Book

 ASP (Active Server Pages) Introduction

 IIS (Internet Information Services) 5.0

 MS Script Debugger

 VBScript Language

 ASP Built-in Run-time Objects

 ASP Session

 Creating and Managing Cookies

Managing Sessions with and without Cookies

 Session ID Managed as a Cookie

Session Management Considerations

 Managing Sessions without Cookies

 scrrun.dll - Scripting Runtime DLL

 Managing Response Header Lines

 Calculation Speed and Response Time

 ADO (ActiveX Data Object) DLL

 Working with MS Access Database

 Guest Book Application Example

 References

 PDF Printing Version