Classic ASP: Multiple ASPSESSIONID in cookies

swervedriver picture swervedriver · Oct 8, 2012 · Viewed 18.9k times · Source

I have a problem with a classic asp page and I just cannot solve it since 3 days.

The page is working with Sessions - sometimes it happens that the ASPSESSIONID cookie is set twice in the Request.ServerVariables("HTTP_COOKIE"). This causes the ASP-Page to jump between the two Sessions when the page is refreshed.

I have written an Test page which outputs the current SessionId, the Server Software and the HTTP_COOKIE value.

Sample Output:


Session ID: 308542840

Session Timeout: 20 minutes

Server Software: Microsoft-IIS/6.0

HTTP_COOKIE: ASPSESSIONIDQCBATRAD=MBHHDGCBGGBJBMAEGLDAJLGF; ASPSESSIONIDQCCDTTCB=PGHPDGCBPLKALGGKIPOFIGDM


Why are there two ASPSESSIONIDs? When I refresh the page then it randomly outputs one of the two Session IDs.

Here is a screencast which shows the problem in IE9: http://prinz-alexander.at/asp_test.avi

This error often occurs in ie8 and ie9.

Just do the following to recreate the Problem:

  1. Completely close IE8 or IE9
  2. Start IE8 or IE9 and open http://www.pfiffikus.at/pfiffikus/tests/
  3. Immediatly after the page is loaded refresh the page mutiple times

If you repeat this steps then randomly (not always) the HTTP_COOKIE is populated with two different ASPSESSIONIDs.

The asp test file is only outputing the mentiod values, nothing else is happening in the source code.

This is the code of the asp test file:

<% If trim(Session("test_val")) = "" Then
     Dim my_num
     Randomize
     number = Int((rnd*1000))+1
     Session("test_val") = number
   End If
%>

<b>Session ID:</b>
<% response.write(Session.SessionId) %><br /><br />

<b>Session("test_val"):</b>
<% response.write(Session("test_val")) %><br /><br />

<b>Session Timeout:</b>
<% response.write(Session.Timeout) %> minutes<br /><br />

<b>Server Software:</b>
<% response.write(Request.ServerVariables("SERVER_SOFTWARE")) %><br /> <br />

<b>HTTP_COOKIE:</b> <% response.write(Request.ServerVariables("HTTP_COOKIE")) %>

How can i avoid multiple ASPSESSIONIds in cookies?

Thanks for any help!

Answer

Anton Palyok picture Anton Palyok · Oct 31, 2013

I was able to remove those cookies with Javascript.

Just add next script to the end of login page. This will remove all "ASPSESSIONIDXXXXXXX" cookies before user will login to website:

<script type="text/javascript">
    //Clear any session cookies
    (function(){
        var cookiesArr = document.cookie.split("; ");
        for (var i = 0; i < cookiesArr.length; i++) {
            var cItem = cookiesArr[i].split("=");
            if (cItem.length > 0 && cItem[0].indexOf("ASPSESSIONID") == 0) {
                deleteCookie(cItem[0]);
            }
        }

        function deleteCookie(name) {
            var expDate = new Date();
            expDate.setTime(expDate.getTime() - 86400000); //-1 day
            var value = "; expires=" + expDate.toGMTString() + ";path=/";
            document.cookie = name + "=" + value;
        }
    })();
</script>