ASP Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.11

Managing Session with and without Cookies

Part:   1  2 

ASP Tutorials - Herong's Tutorial Notes © Dr. Herong Yang

hyBook - Guestbook Application

Using MS Access Databases

ActiveX Data Object (ADO)

Controlling Response Header Lines

Microsoft Scripting Runtime DLL

Using Cookies

ASP Sessions

ASP Objects

Microsoft Script Debugger

Internet Information Services (IIS)

... Table of Contents

I received an interesting question not long ago on ASP session and cookie. The question was that "If the user's browser doesn't support cookie or has it turned off, will the ASP's session work properly?".

My answer was no. In this chapter, I will show you why, and provide you suggestions on how to manage your own sessions without cookies.

ASP Session State and Cookies

As you can see from the "ASP Sessions" chapter, the IIS server maintains ASP session with sessions IDs sending to user's browser as cookies. If the browser doesn't support cookies, or has cookie support turned off, it will not send back the sessions IDs as cookies. If the server doesn't receive any session ID, it will treat each browser request as a new session, event if it is a subsequent request from the same user.

To show you how ASP session is related to browser's cookie support, I wrote the following simple number game page:

<script language="vbscript" runat="server">
'  game.asp
'  Copyright (c) 2004 by Dr. Herong Yang
'  This ASP page offers a simple game, relying on the session object
'  to remember the target number.
'
   number = session("number")
   response.write("<html><body>")
   if len(number) = 0 then
      Randomize()
      number = Int(100*Rnd())
      session("number") = number
      response.write("Welcome to the Game Server!<br/>")
      response.write("I have a number between 0 and 100" & _
         " for you to guess.<br/>")
   else
      guess = request.QueryString("guess")
      if Cint(guess) = Cint(number) then
         Randomize()
         number = Int(100*Rnd())
         session("number") = number
         response.write("Congratulations, you win!<br/>")
         response.write("I have another number between 0 and 100" & _
            " for you to guess.<br/>")
      elseif Cint(guess) > Cint(number) then
         response.write("Your guess is too high. Please make" & _
            " another quess.<br/>")
      elseif Cint(guess) < Cint(number) then
         response.write("Your guess is too low. Please make" & _
            " another quess.<br/>")
      end if
   end if
   response.write("<form action=game.asp method=get>")
   response.write("Your guess:")
   response.write("<input type=text size=4 name=guess>")
   response.write("<input type=submit name=submit value=Submit>" & _
      "</br>")
   response.write("</form>")
   response.write("Your session ID is " & session.SessionID & _
      "<br/>")
   response.write("</body></html>")
</script>

Now put this page on the IIS of your local system. If you run IE (Internet Explorer) browser with the default options, you should be able run this game with no problem. You should get only one session ID during your entire game session, no matter how many time you click the submit button and trigger the browser to send requests to the server.

In order to see how my game ASP will behave if the cookie support in IE is turned off, I need to open IE, select the "Tools" menu, then select the "Internet Options" command to get "Internet Options" dialog box. On the option dialog box, you need to select the "Privacy" tab, and move the privacy setting to the "Medium" level. Then you need to click the "Edit" button in the override section. On the override dialog box, you need to enter "127.0.0.1" in the "Address of Web site" field, and click "Block". Finally, you need to click the "OK" button to close both dialog boxes.

Now run IE with "http://127.0.0.1/game.asp" to access my game ASP page, you will get the welcome message. This is correct, since you are accessing the page for the first time, the ASP server assigns you a new session. But if you enter a guess number and click the "Submit" button, you will get the welcome message again, with a new session ID. If you keep entering guess numbers, you will always get the welcome message, and different session IDs. Why? Because IE is not sending sessions IDs back to the server any more. So the server will create a new session each time, and my game page will initiate a number and display the welcome message each time.

Note that:

  • IIS ASP server is able to maintain the session state from one request to the next request, because it sends the session ID the browser as a cookie in each response, and the browser send the session ID back as a cookie in each request.
  • Without cookies, IIS ASP server receives browser's requests without session IDs. It will initiate a new session object for each request, not be able to maintain the session state for you.
  • I am asking to you block "127.0.0.1", not "localhost", because the blocking mechanism seems to be not working for host names without any domain names.

(Continued on next part...)

Part:   1  2 

Dr. Herong Yang, updated in 2004
ASP Tutorials - Herong's Tutorial Notes - Managing Session with and without Cookies