All geek questions in one place

Classic ASP Session Cookie Lifetime Session Identifier

In my classic ASP application, the cookie associated with the ASP ID is lost when the client closes its browser. I even thought that the session was not a timeout. So that...

How to make an ASP session identifier cookie the same even if clients close the browser?

+4
source share
5 answers

When you start a new browser session and go to your site, classic ASP will detect that there is no ASP session cookie and will create a new session for you (as you already saw).

Session cookies are what they exist for the life of a session. When you close your browser, the session cookie will be deleted (even if your session state on the server will work as an orphaned session until the Session.Timeout expires - if you do not present the same session cookie during the Session.Timeout period).

The only way to extend the ASP session cookie lifetime in new browser sessions / instances is to change the cookie lifetime using a script in the browser / client.

If you want to manage the state between events, such as closing the browser, you will need to implement your own state management mechanism (for example, saving state in the database) and use a regular cookie with a long service life (or with a rolling termination when you extend the service life for a small amount of time for each request on the server side of the script) to correspond to the state of the user.

Edit:

The following article has a script to change the session cookie (scroll down until the cookie expires):

But, as Shoban correctly points out, there is a risk of Session Fixation (OWASP) . However, you can somehow protect yourself from this:

I would also add some caveats if your application stores confidential data (credit cards, financial, medical, etc.), then I would suggest not to do this and live with the fact that your user will have to log in again and start a new one session. Better than sorry.

+5
source

You can increase the session timeout.

Session.Timeout[=nMinutes]

http://www.asp101.com/articles/john/sessionsend/default.asp

  <% Response.Cookies("firstname")="Alex" Response.Cookies("firstname").Expires=#May 10,2012# %>

Won't this work?

http://www.w3schools.com/ASP/asp_cookies.asp

+1
source

A “cookie session” is the key: when a user closes their browser, they end the session.

The server timeout exists because the server does not know that the user has ended the session, so he works on the basis that if they do not return for some time, the session must be completed.

If you need a persistent cookie, you have to set it yourself; but there is no way to prevent the user from ending the session.

+1
source

Isn't that design?

Maybe you want to use a regular cookie instead?

0
source

You need to save the session cookie, because for security reasons you cannot access the session between browsers (be it two different browsers or the same closed and re-opened).

Generally, you should store server information and use a client-side cookie containing a simple identifier to retrieve information.

0
source

Source: https://habr.com/ru/post/1286461/

More articles:


All Articles