INFO: ASP Requires Session State to Maintain Static Cookies

Article translations Article translations
Article ID: 184574 - View products that this article applies to.
This article was previously published under Q184574
Expand all | Collapse all


Active Server Pages (ASP) uses HTTP cookies to maintain session state. Under certain conditions, the value of these session cookies may change. This article describes conditions under which session cookies are generated and how to ensure that static cookies are created.


The Active Server Pages developer needs to understand how cookies work in order to maximize performance and minimize unexpected results such as losing session state. Each request made to ASP will trigger the creation of a new SessionID cookie unless a Session variable is created in the requested page or there is a Session_OnStart event handler in the Global.asa file. By the same token, ASP creates unique SessionID cookies when .asp files are used as the source for frames in a FRAMESET.

These multiple SessionID cookies may affect performance. If a session is triggered by storing a scalar or object value to a session variable, but the user moves out of or to another ASP application and then returns, the original session object is lost. You can also control this unintended result by an informed Active Server Pages design strategy.

ASP sends a different ASPSessionID cookie (scoped to the application, which is the virtual directory for the requested .asp file) for each and every .asp file that is requested until Session state is triggered. Session state is triggered once something is stored in a Session variable (a scalar variable or an object instance), or the Session_OnStart event is fired in the application's Global.asa file, the SessionID is fixed for that user until the Session times out or is abandoned.

The reasons for this are that, by default, buffering is off for an ASP page. This means that HTTP headers (which contain cookies) need to be generated before any content (typically HTML) is sent out by the processing of the .asp file. In other words, an ASPSessionID cookie is placed in the HTTP headers just in case there is going to be Session state defined in the processing of the forthcoming .asp file.

If no Session state is defined, the next .asp file request has the same potential to start the Session by placing something in Session state (this makes a new ASPSessionID because no Session has been started prior to this request). If Session state is used, the ASPSessionID remains constant for the rest of the session.

NOTE 1: If the .asp page turns the Buffering property of the Response object on (that is, Response.Buffer=TRUE), ASPSessionID cookies are not sent out with each .asp file request until Session state is used. This is because the HTTP headers can be changed even after content has been produced. So, as noted in the preceding two paragraphs, the reason the ASPSessionID is created before the .asp file is processed is unnecessary when buffering is ON.

NOTE 2: If you do not plan to use Session state for any application, you may use the registry to turn it off for all applications.

NOTE 3: You can stub out the Session_OnStart event in the Global.asa file; that is, no code is necessary between the beginning and end of that subroutine.

NOTE 4: Under ASP 1.0b, additional difficulties can occur if full permissions are not given to the Global.asa file. If individual .asp files need finer access control lists, store them in subdirectories beneath the directory that contains the Global.asa file.

NOTE 5: ASP Hotfix 1.21.11 permits ACL restrictions on the Global.asa file. Contact Microsoft Technical Support if you feel that installing this hotfix is necessary. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please go to the following address on the World Wide Web:;EN-US;CNTACTMS
In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question.


178037 PRB: Session Variables Are Lost When ASP Is Located in Frameset
For more information about how to create a stateful session with HTTP requests and responses, see the following online documentation:


Article ID: 184574 - Last Review: August 18, 2006 - Revision: 4.2
  • Microsoft Active Server Pages 2.0
  • Microsoft Active Server Pages 3.0
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
kbaspobj kbcookie kbinfo kbstate KB184574

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from