views:

2415

answers:

5

In my classic ASP application, the ASP session ID related cookie gets lost when the client closes his browser, Even thought the session didn't timeout. So...

How to make ASP session ID cookie to remain the same even if the clients closes his browser?

A: 

Isn't that by design?

Maybe you want to use a normal cookie instead?

Bravax
I guess not... I didn't changed any of the IIS defaults, and it simply loses the cookie
Daniel Silveira
Bravax is correct - this is by design. The session isn't lost or expired, it just can't be accessed except from the same browser session.
Sohnee
+1  A: 

You can increase the session time out.

Session.Timeout[=nMinutes]

http://www.asp101.com/articles/john/sessionsend/default.asp

 <%
    Response.Cookies("firstname")="Alex"
    Response.Cookies("firstname").Expires=#May 10,2012#
    %>

Wont this work??

http://www.w3schools.com/ASP/asp_cookies.asp

Shoban
I have to just add a note to this - don't persist any personal information to a client side cookie. Not just because it can cause a security problem, but also because it's illegal in many countries (including the entire European Union) to store personal information in a cookie without obtaining permission from the user.
Sohnee
Yes this works for custom cookies... I'm talking about the session ID cookie, which is created by IIS.
Daniel Silveira
@Sohnee .. that was just an example.
Shoban
+3  A: 

When you start a new browser session and browse to your site, classic ASP will detect that there is no ASP session cookie and will create a new session for you (as you have already experienced).

Session cookies are just that, they exist for the lifetime of the session. When you close your browser the session cookie will be deleted (even though your session state on the server will live on as an orphaned session until Session.Timeout expires - unless you present the same session cookie again within the Session.Timeout period).

The only way to extend the lifetime of the ASP session cookie across new browser sessions/instances would be to alter the cookie lifetime using script on the browser/client.

If you're looking to manage state across events such as the browser closing, you'll need implement your own state management mechanism (persist state to a database for example) and use a regular cookie with a long lifetime (or with a sliding expiration where you extend the lifetime by a small amount of time on each request in your server side script) to match state to the user.

Edit:

The following article has a script to modify the session cookie (scroll down to Cookie Expiration):

ASP Session Cookies (Plynt)

But as Shoban correctly points out there is a risk of Session Fixation (OWASP). You can however go some way to protect yourself against this:

Session Fixation Protection (OWASP)

I'd also add some caveats, if your application is storing sensitive data (credit cards, financials, medical etc) then I'd suggest not doing this and live with the fact that your user will have to logon again and start a new session. Better safe than sorry.

Kev
Seems nice.... But, how to do it?
Daniel Silveira
" I'm 110% sure. Sessions DO NOT end when a user closes their browser."http://www.asp101.com/articles/john/sessionsend/default.aspAny thoughts?
Shoban
Correct sessions ON THE SERVER don't end until the Session.Timeout expires, but closing the browser will cause the session cookie to expire leaving the state on the server orphaned until it's cleaned up after Session.Timeout. If there's no session cookie on the first request to the site, a new session will always be created.
Kev
@Shoban: Yes.... You are right... the session doesn't end when the browser is closed, but the cookie session ID that identifies the session gets deleted when the user closes the browser... So, although the session exists, it is unreachable. Got it?
Daniel Silveira
@Daniel - correct, your session will be orphaned. I've updated my answer to explain this better.
Kev
@Kev: I guess you understood the problem... So you getting close to be the accepted answer... Just tell me how to do it.
Daniel Silveira
Thanks! I wrote the answer that it expires and then edited it after reading the post in the link which I posted.;-) it confused me or may be i read it quick ;-)
Shoban
@Kev "The only way to extend the lifetime of the ASP session cookie across new browser sessions/instances would be to alter the cookie lifetime using script on the browser/client." the cookie you are talking about in your answer is the normal cookie which I ahev posted in my answer. Am I right?
Shoban
@Kev: Can't I just extend the life time of the ASP session ID cookie to remain during browser reopening? (Maybe using JavaScript?)
Daniel Silveira
@Daniel .. Do you think that will be possible? Due to security reasons?
Shoban
@Kev: Yes, this is the cookie I'm talking about... It is created automaticaly by IIS and it's name isn't always the same, but it is something like ASPSESSIONID********
Daniel Silveira
@Shoban... I don't know, But I believe it must have a solution for it.
Daniel Silveira
@Shoban - no I'm talking about the ASP session cookie (ASPSESSIONIDxxx=XXXX) which can't be altered in ASP server side script.
Kev
......Thanks Kev
Shoban
@Shoban - ASP prevents modification of ASPSESSIONIDxxx=XXXX. You'd need to find this cookie using script on the browser an modify its lifetime there.
Kev
@Kev, please... just give the code (JavaScript) and you will get the accepted answer :)
Daniel Silveira
@Kev I seriously doubt whether this is posible. But am interested in knowing. If this is possible then after increasing the lifetime of the cookie when we reopent the site wont the server create a new session id?
Shoban
Even if it possible wont that lead to fixation attacks? http://en.wikipedia.org/wiki/Session_fixation
Shoban
@Shoban/@Daniel - see my updates
Kev
..............Thanks ;-)
Shoban
@Shoban - np....good discussion :)
Kev
A: 

You need to persist the session cookie as, for security reasons, you can't access the session between browsers (be it two different browsers, or the same one closed and re-opened).

Normally, you would store the details server side and use a client side cookie that contains a simple id to retrieve the information.

Sohnee
+1  A: 

"Session cookie" is the clue: when the user closes their browser they are ending their session.

The server timeout exists because the server has no way of knowing that the user ended the session, so it works on the basis that if they don't come back for a while, the session must be over.

If you want a persistent cookie, you'll have to set it yourself; but there's no way of preventing the user from ending their session.

NickFitz