ansaurus

Question

Classic ASP Session ID Cookie Lifetime

Answer 1

A:

Isn't that by design?

Maybe you want to use a normal cookie instead?

Bravax 2009-06-19 11:46:38

I guess not... I didn't changed any of the IIS defaults, and it simply loses the cookie

Daniel Silveira 2009-06-19 11:52:06

Bravax is correct - this is by design. The session isn't lost or expired, it just can't be accessed except from the same browser session.

Sohnee 2009-06-19 11:56:01

Answer 2

+1 A:

You can increase the session time out.

Session.Timeout[=nMinutes]

http://www.asp101.com/articles/john/sessionsend/default.asp

 <%
    Response.Cookies("firstname")="Alex"
    Response.Cookies("firstname").Expires=#May 10,2012#
    %>

Wont this work??

http://www.w3schools.com/ASP/asp_cookies.asp

Shoban 2009-06-19 11:52:41

I have to just add a note to this - don't persist any personal information to a client side cookie. Not just because it can cause a security problem, but also because it's illegal in many countries (including the entire European Union) to store personal information in a cookie without obtaining permission from the user.

Sohnee 2009-06-19 11:54:57

Yes this works for custom cookies... I'm talking about the session ID cookie, which is created by IIS.

Daniel Silveira 2009-06-19 11:54:58

@Sohnee .. that was just an example.

Shoban 2009-06-19 11:56:44

Answer 3

+3 A:

When you start a new browser session and browse to your site, classic ASP will detect that there is no ASP session cookie and will create a new session for you (as you have already experienced).

Session cookies are just that, they exist for the lifetime of the session. When you close your browser the session cookie will be deleted (even though your session state on the server will live on as an orphaned session until Session.Timeout expires - unless you present the same session cookie again within the Session.Timeout period).

The only way to extend the lifetime of the ASP session cookie across new browser sessions/instances would be to alter the cookie lifetime using script on the browser/client.

If you're looking to manage state across events such as the browser closing, you'll need implement your own state management mechanism (persist state to a database for example) and use a regular cookie with a long lifetime (or with a sliding expiration where you extend the lifetime by a small amount of time on each request in your server side script) to match state to the user.

Edit:

The following article has a script to modify the session cookie (scroll down to Cookie Expiration):

ASP Session Cookies (Plynt)

But as Shoban correctly points out there is a risk of Session Fixation (OWASP). You can however go some way to protect yourself against this:

Session Fixation Protection (OWASP)

I'd also add some caveats, if your application is storing sensitive data (credit cards, financials, medical etc) then I'd suggest not doing this and live with the fact that your user will have to logon again and start a new session. Better safe than sorry.

Kev 2009-06-19 11:53:25

Seems nice.... But, how to do it?

Daniel Silveira 2009-06-19 11:58:51

" I'm 110% sure. Sessions DO NOT end when a user closes their browser."http://www.asp101.com/articles/john/sessionsend/default.aspAny thoughts?

Shoban 2009-06-19 11:59:26

Correct sessions ON THE SERVER don't end until the Session.Timeout expires, but closing the browser will cause the session cookie to expire leaving the state on the server orphaned until it's cleaned up after Session.Timeout. If there's no session cookie on the first request to the site, a new session will always be created.

Kev 2009-06-19 12:03:30

@Shoban: Yes.... You are right... the session doesn't end when the browser is closed, but the cookie session ID that identifies the session gets deleted when the user closes the browser... So, although the session exists, it is unreachable. Got it?

Daniel Silveira 2009-06-19 12:04:15

@Daniel - correct, your session will be orphaned. I've updated my answer to explain this better.

Kev 2009-06-19 12:07:13

@Kev: I guess you understood the problem... So you getting close to be the accepted answer... Just tell me how to do it.

Daniel Silveira 2009-06-19 12:08:18

Thanks! I wrote the answer that it expires and then edited it after reading the post in the link which I posted.;-) it confused me or may be i read it quick ;-)

Shoban 2009-06-19 12:09:11

@Kev "The only way to extend the lifetime of the ASP session cookie across new browser sessions/instances would be to alter the cookie lifetime using script on the browser/client." the cookie you are talking about in your answer is the normal cookie which I ahev posted in my answer. Am I right?

Shoban 2009-06-19 12:10:09

@Kev: Can't I just extend the life time of the ASP session ID cookie to remain during browser reopening? (Maybe using JavaScript?)

Daniel Silveira 2009-06-19 12:11:29

@Daniel .. Do you think that will be possible? Due to security reasons?

Shoban 2009-06-19 12:14:04

@Kev: Yes, this is the cookie I'm talking about... It is created automaticaly by IIS and it's name isn't always the same, but it is something like ASPSESSIONID********

Daniel Silveira 2009-06-19 12:14:06

@Shoban... I don't know, But I believe it must have a solution for it.

Daniel Silveira 2009-06-19 12:14:45

@Shoban - no I'm talking about the ASP session cookie (ASPSESSIONIDxxx=XXXX) which can't be altered in ASP server side script.

Kev 2009-06-19 12:15:16

......Thanks Kev

Shoban 2009-06-19 12:16:44

@Shoban - ASP prevents modification of ASPSESSIONIDxxx=XXXX. You'd need to find this cookie using script on the browser an modify its lifetime there.

Kev 2009-06-19 12:17:46

@Kev, please... just give the code (JavaScript) and you will get the accepted answer :)

Daniel Silveira 2009-06-19 12:19:13

@Kev I seriously doubt whether this is posible. But am interested in knowing. If this is possible then after increasing the lifetime of the cookie when we reopent the site wont the server create a new session id?

Shoban 2009-06-19 12:37:18

Even if it possible wont that lead to fixation attacks? http://en.wikipedia.org/wiki/Session_fixation

Shoban 2009-06-19 12:38:33

@Shoban/@Daniel - see my updates

Kev 2009-06-19 12:51:19

..............Thanks ;-)

Shoban 2009-06-19 14:19:10

@Shoban - np....good discussion :)

Kev 2009-06-19 14:25:21

Answer 4

A:

You need to persist the session cookie as, for security reasons, you can't access the session between browsers (be it two different browsers, or the same one closed and re-opened).

Normally, you would store the details server side and use a client side cookie that contains a simple id to retrieve the information.

Sohnee 2009-06-19 11:53:27

Answer 5

+1 A:

"Session cookie" is the clue: when the user closes their browser they are ending their session.

The server timeout exists because the server has no way of knowing that the user ended the session, so it works on the basis that if they don't come back for a while, the session must be over.

If you want a persistent cookie, you'll have to set it yourself; but there's no way of preventing the user from ending their session.

NickFitz 2009-06-19 11:57:01

ansaurus

tags:

views:

answers:

Classic ASP Session ID Cookie Lifetime

related questions