Classic ASP: Multiple ASPSESSIONID in cookies
I have a problem with a classic asp page and I just cannot solve it since 3 days.
The page is working with Sessions - sometimes it happens that the ASPSESSIONID cook
-
This issue also troubled me for a long time. And I cannot solve it.
It's none of browsers business. My Chrome, Firefox, IE all have this issue.
Sometimes I can see 20+ ASPSESSIONIDXXXX cookies in one page.
Finally I must use javascript to clear the old ASPSESSIONID*** and keep the latest one.
function clearASPSESSIONID(){ var cks = document.cookie.match(/\b(ASPSESSIONID[A-Z]+)(?==)/g), lskey = 'oldASPSESSIONID-'+location.protocol+'//'+location.host, old = window.localStorage ? localStorage.getItem(lskey) : '', keep, i; for(i=0;i<cks.length;i++){ if((old && old.indexOf(cks[i])<0) || i==cks.length-1){ keep = cks[i]; } } for(i=0;i<cks.length;i++){ if(keep != cks[i]){ document.cookie = cks[i] + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;'; } } if(window.localStorage){ localStorage.setItem(lskey, keep ? keep : ''); } } clearASPSESSIONID();讨论(0) -
In global.asa file:
Sub Session_OnStart Dim cookie, cookies : cookies = Split(Request.ServerVariables("HTTP_COOKIE"),";") For Each cookie In cookies cookie = Trim(Split(cookie,"=")(0)) If Left(cookie,12) = "ASPSESSIONID" Then Response.AddHeader "Set-Cookie", cookie&"=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/" End If Next End Sub讨论(0) -
You can use the URL Rewrite mod to rename the session cookie when it is set and use an inbound rewrite rule to revert it back again. Multiple session cookies occur when the session name ID changes, but by giving the session cookie a set name and including the ID within the cookie itself there will only ever be one session cookie at a time.
Use these rewrite rules in web.config to change
ASPSESSIONIDXXXXXXXX=YYYYYYYYYYYYYYYYYYYYYYYYinto
session=XXXXXXXX/YYYYYYYYYYYYYYYYYYYYYYYYthen revert it back again on an inbound request (so it can still be read by IIS):
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <clear /> <!-- "HTTP_COOKIE" must be added to the "allowed server variables" in IIS under URLRewrite --> <rule name="session cookie revert"> <match url="(.*)" /> <conditions> <add input="{HTTP_COOKIE}" pattern="(.*)session=([0-9a-zA-Z]+)\/([0-9a-zA-Z]+)(.*)" /> </conditions> <serverVariables> <set name="HTTP_COOKIE" value="{C:1}ASPSESSIONID{C:2}={C:3}{C:4}" /> </serverVariables> <action type="None" /> </rule> </rules> <outboundRules> <rule name="session cookie rewrite"> <match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID([0-9a-zA-Z]+)=([0-9a-zA-Z]+)(.*)" negate="false" /> <!-- Set the session cookie as HttpOnly during the rewrite. Classic ASP doesn't do this by default, but it's important for preventing XSS cookie stealing. You could also add "; Secure" if you only want the session cookie to be passed over an SSL connection, although this also means the cookie can only be set over an SSL connection too, which could be a problem when testing on localhost. --> <action type="Rewrite" value="session={R:1}/{R:2}{R:3}; HttpOnly" /> </rule> </outboundRules> </rewrite> </system.webServer> </configuration>讨论(0) -
Maybe later but could be useful as there is no accepted answer.
In application pool, at recycling options, check if you do not recycle your application too soon or you will ended with an ASPSESSIONIDXXXXXXX for each new application you respawn.
There are several recycling conditions. I set "minimum number of requests" to 1 by mistake and got an ASPSESSIONID for each request
讨论(0) -
Go to Application pool 'advanced setting" and set "Maximum Worker Processes" to 1.
讨论(0) -
You have assigned a value in your session of the user. Try to fetch your fetch your session like this and assign different unique values to every user
<% Session("test") = "test value" a=Session("test") response.Write(a) %>讨论(0)
加载中...
- 热议问题