I have a problem with a classic asp page and I just cannot solve it since 3 days.
The page is working with Sessions - sometimes it happens that the ASPSESSIONID cookie is set twice in the Request.ServerVariables("HTTP_COOKIE"). This causes the ASP-Page to jump between the two Sessions when the page is refreshed.
I have written an Test page which outputs the current SessionId, the Server Software and the HTTP_COOKIE value.
Sample Output:
Session ID: 308542840
Session Timeout: 20 minutes
Server Software: Microsoft-IIS/6.0
HTTP_COOKIE: ASPSESSIONIDQCBATRAD=MBHHDGCBGGBJBMAEGLDAJLGF; ASPSESSIONIDQCCDTTCB=PGHPDGCBPLKALGGKIPOFIGDM
Why are there two ASPSESSIONIDs?
When I refresh the page then it randomly outputs one of the two Session IDs.
Here is a screencast which shows the problem in IE9:
http://prinz-alexander.at/asp_test.avi
This error often occurs in ie8 and ie9.
Just do the following to recreate the Problem:
- Completely close IE8 or IE9
- Start IE8 or IE9 and open http://www.pfiffikus.at/pfiffikus/tests/
- Immediatly after the page is loaded refresh the page mutiple times
If you repeat this steps then randomly (not always) the HTTP_COOKIE is populated with two different ASPSESSIONIDs.
The asp test file is only outputing the mentiod values, nothing else is happening in the source code.
This is the code of the asp test file:
<% If trim(Session("test_val")) = "" Then
Dim my_num
Randomize
number = Int((rnd*1000))+1
Session("test_val") = number
End If
%>
<b>Session ID:</b>
<% response.write(Session.SessionId) %><br /><br />
<b>Session("test_val"):</b>
<% response.write(Session("test_val")) %><br /><br />
<b>Session Timeout:</b>
<% response.write(Session.Timeout) %> minutes<br /><br />
<b>Server Software:</b>
<% response.write(Request.ServerVariables("SERVER_SOFTWARE")) %><br /> <br />
<b>HTTP_COOKIE:</b> <% response.write(Request.ServerVariables("HTTP_COOKIE")) %>
How can i avoid multiple ASPSESSIONIds in cookies?
Thanks for any help!
I was able to remove those cookies with Javascript.
Just add next script to the end of login page.
This will remove all "ASPSESSIONIDXXXXXXX" cookies before user will login to website:
<script type="text/javascript">
//Clear any session cookies
(function(){
var cookiesArr = document.cookie.split("; ");
for (var i = 0; i < cookiesArr.length; i++) {
var cItem = cookiesArr[i].split("=");
if (cItem.length > 0 && cItem[0].indexOf("ASPSESSIONID") == 0) {
deleteCookie(cItem[0]);
}
}
function deleteCookie(name) {
var expDate = new Date();
expDate.setTime(expDate.getTime() - 86400000); //-1 day
var value = "; expires=" + expDate.toGMTString() + ";path=/";
document.cookie = name + "=" + value;
}
})();
</script>
This issue also troubled me for a long time. And I cannot solve it.
It's none of browsers business. My Chrome, Firefox, IE all have this issue.
Sometimes I can see 20+ ASPSESSIONIDXXXX cookies in one page.
Finally I must use javascript to clear the old ASPSESSIONID*** and keep the latest one.
function clearASPSESSIONID(){
var cks = document.cookie.match(/\b(ASPSESSIONID[A-Z]+)(?==)/g),
lskey = 'oldASPSESSIONID-'+location.protocol+'//'+location.host,
old = window.localStorage ? localStorage.getItem(lskey) : '',
keep, i;
for(i=0;i<cks.length;i++){
if((old && old.indexOf(cks[i])<0) || i==cks.length-1){
keep = cks[i];
}
}
for(i=0;i<cks.length;i++){
if(keep != cks[i]){
document.cookie = cks[i] + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
}
}
if(window.localStorage){
localStorage.setItem(lskey, keep ? keep : '');
}
}
clearASPSESSIONID();
Go to Application pool 'advanced setting" and set "Maximum Worker Processes" to 1.
Maybe later but could be useful as there is no accepted answer.
In application pool, at recycling options, check if you do not
recycle your application too soon or you will ended with an
ASPSESSIONIDXXXXXXX for each new application you respawn.
There are several recycling conditions.
I set "minimum number of requests" to 1 by mistake and got
an ASPSESSIONID for each request
You can use the URL Rewrite mod to rename the session cookie when it is set and use an inbound rewrite rule to revert it back again. Multiple session cookies occur when the session name ID changes, but by giving the session cookie a set name and including the ID within the cookie itself there will only ever be one session cookie at a time.
Use these rewrite rules in web.config to change
ASPSESSIONIDXXXXXXXX=YYYYYYYYYYYYYYYYYYYYYYYY
into
session=XXXXXXXX/YYYYYYYYYYYYYYYYYYYYYYYY
then revert it back again on an inbound request (so it can still be read by IIS):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<!-- "HTTP_COOKIE" must be added to the "allowed server variables" in IIS under URLRewrite -->
<rule name="session cookie revert">
<match url="(.*)" />
<conditions>
<add input="{HTTP_COOKIE}" pattern="(.*)session=([0-9a-zA-Z]+)\/([0-9a-zA-Z]+)(.*)" />
</conditions>
<serverVariables>
<set name="HTTP_COOKIE" value="{C:1}ASPSESSIONID{C:2}={C:3}{C:4}" />
</serverVariables>
<action type="None" />
</rule>
</rules>
<outboundRules>
<rule name="session cookie rewrite">
<match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID([0-9a-zA-Z]+)=([0-9a-zA-Z]+)(.*)" negate="false" />
<action type="Rewrite" value="session={R:1}/{R:2}{R:3}; HttpOnly" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
You have assigned a value in your session of the user. Try to fetch your fetch your session like this and assign different unique values to every user
<%
Session("test") = "test value"
a=Session("test")
response.Write(a)
%>
In global.asa file:
Sub Session_OnStart
Dim cookie, cookies : cookies = Split(Request.ServerVariables("HTTP_COOKIE"),";")
For Each cookie In cookies
cookie = Trim(Split(cookie,"=")(0))
If Left(cookie,12) = "ASPSESSIONID" Then
Response.AddHeader "Set-Cookie", cookie&"=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/"
End If
Next
End Sub
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 仙女界的扛把子 的文章《Classic ASP: Multiple ASPSESSIONID in cookies》','https://www.manongdao.com/article-81799.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}