In my classic ASP application, the ASP session ID related cookie gets lost when the client closes his browser, Even thought the session didn't timeout. So...
在我的经典ASP应用程序中,当客户端关闭浏览器时,与ASP会话ID相关的cookie会丢失,甚至认为会话没有超时。所以...
How to make ASP session ID cookie to remain the same even if the clients closes his browser?
即使客户端关闭浏览器,如何使ASP会话ID cookie保持不变?
5 个解决方案
#1
When you start a new browser session and browse to your site, classic ASP will detect that there is no ASP session cookie and will create a new session for you (as you have already experienced).
当您启动新的浏览器会话并浏览到您的站点时,经典ASP将检测到没有ASP会话cookie并将为您创建一个新会话(正如您已经体验过的那样)。
Session cookies are just that, they exist for the lifetime of the session. When you close your browser the session cookie will be deleted (even though your session state on the server will live on as an orphaned session until Session.Timeout expires - unless you present the same session cookie again within the Session.Timeout period).
会话cookie就是这样,它们在会话的生命周期中存在。当您关闭浏览器时,会删除会话cookie(即使您的服务器上的会话状态将作为孤立会话继续存在,直到Session.Timeout到期 - 除非您在Session.Timeout期间再次呈现相同的会话cookie)。
The only way to extend the lifetime of the ASP session cookie across new browser sessions/instances would be to alter the cookie lifetime using script on the browser/client.
在新的浏览器会话/实例中延长ASP会话cookie生命周期的唯一方法是使用浏览器/客户端上的脚本来改变cookie生存期。
If you're looking to manage state across events such as the browser closing, you'll need implement your own state management mechanism (persist state to a database for example) and use a regular cookie with a long lifetime (or with a sliding expiration where you extend the lifetime by a small amount of time on each request in your server side script) to match state to the user.
如果您希望在浏览器关闭等事件中管理状态,则需要实现自己的状态管理机制(例如,持久化状态到数据库)并使用具有较长生命周期的常规cookie(或者具有滑动到期时间)您在服务器端脚本中的每个请求上延长生命周期的时间,以使状态与用户匹配。
Edit:
The following article has a script to modify the session cookie (scroll down to Cookie Expiration):
以下文章有一个脚本来修改会话cookie(向下滚动到Cookie Expiration):
- ASP Session Cookies (Plynt), via archive.org
ASP Session Cookies(Plynt),通过archive.org
But as Shoban correctly points out there is a risk of Session Fixation (OWASP). You can however go some way to protect yourself against this:
但正如Shoban正确指出的那样,存在会话固定(OWASP)的风险。但是,你可以采取某种方式来保护自己免受这种伤害:
- Session Fixation Protection (OWASP)
会话固定保护(OWASP)
I'd also add some caveats, if your application is storing sensitive data (credit cards, financials, medical etc) then I'd suggest not doing this and live with the fact that your user will have to logon again and start a new session. Better safe than sorry.
我还要补充一些注意事项,如果你的应用程序存储敏感数据(信用卡,财务,医疗等),那么我建议不要这样做,并考虑到你的用户必须再次登录并开始一个新的会话。比抱歉更安全。
#2
"Session cookie" is the clue: when the user closes their browser they are ending their session.
“会话cookie”是线索:当用户关闭他们的浏览器时,他们正在结束他们的会话。
The server timeout exists because the server has no way of knowing that the user ended the session, so it works on the basis that if they don't come back for a while, the session must be over.
服务器超时存在是因为服务器无法知道用户是否结束了会话,因此它的工作原理是,如果他们暂时不回来,则会话必须结束。
If you want a persistent cookie, you'll have to set it yourself; but there's no way of preventing the user from ending their session.
如果你想要一个持久性cookie,你必须自己设置它;但是没有办法阻止用户结束他们的会话。
#3
You can increase the session time out.
您可以增加会话时间。
Session.Timeout[=nMinutes]
http://www.asp101.com/articles/john/sessionsend/default.asp
<%
Response.Cookies("firstname")="Alex"
Response.Cookies("firstname").Expires=#May 10,2012#
%>
Wont this work??
不会这个工作?
#4
Isn't that by design?
这不是设计?
Maybe you want to use a normal cookie instead?
也许你想使用普通的cookie代替?
#5
You need to persist the session cookie as, for security reasons, you can't access the session between browsers (be it two different browsers, or the same one closed and re-opened).
您需要保留会话cookie,因为出于安全原因,您无法访问浏览器之间的会话(无论是两个不同的浏览器,还是同一个关闭并重新打开的浏览器)。
Normally, you would store the details server side and use a client side cookie that contains a simple id to retrieve the information.
通常,您将存储详细信息服务器端并使用包含简单ID的客户端cookie来检索信息。
#1
When you start a new browser session and browse to your site, classic ASP will detect that there is no ASP session cookie and will create a new session for you (as you have already experienced).
当您启动新的浏览器会话并浏览到您的站点时,经典ASP将检测到没有ASP会话cookie并将为您创建一个新会话(正如您已经体验过的那样)。
Session cookies are just that, they exist for the lifetime of the session. When you close your browser the session cookie will be deleted (even though your session state on the server will live on as an orphaned session until Session.Timeout expires - unless you present the same session cookie again within the Session.Timeout period).
会话cookie就是这样,它们在会话的生命周期中存在。当您关闭浏览器时,会删除会话cookie(即使您的服务器上的会话状态将作为孤立会话继续存在,直到Session.Timeout到期 - 除非您在Session.Timeout期间再次呈现相同的会话cookie)。
The only way to extend the lifetime of the ASP session cookie across new browser sessions/instances would be to alter the cookie lifetime using script on the browser/client.
在新的浏览器会话/实例中延长ASP会话cookie生命周期的唯一方法是使用浏览器/客户端上的脚本来改变cookie生存期。
If you're looking to manage state across events such as the browser closing, you'll need implement your own state management mechanism (persist state to a database for example) and use a regular cookie with a long lifetime (or with a sliding expiration where you extend the lifetime by a small amount of time on each request in your server side script) to match state to the user.
如果您希望在浏览器关闭等事件中管理状态,则需要实现自己的状态管理机制(例如,持久化状态到数据库)并使用具有较长生命周期的常规cookie(或者具有滑动到期时间)您在服务器端脚本中的每个请求上延长生命周期的时间,以使状态与用户匹配。
Edit:
The following article has a script to modify the session cookie (scroll down to Cookie Expiration):
以下文章有一个脚本来修改会话cookie(向下滚动到Cookie Expiration):
- ASP Session Cookies (Plynt), via archive.org
ASP Session Cookies(Plynt),通过archive.org
But as Shoban correctly points out there is a risk of Session Fixation (OWASP). You can however go some way to protect yourself against this:
但正如Shoban正确指出的那样,存在会话固定(OWASP)的风险。但是,你可以采取某种方式来保护自己免受这种伤害:
- Session Fixation Protection (OWASP)
会话固定保护(OWASP)
I'd also add some caveats, if your application is storing sensitive data (credit cards, financials, medical etc) then I'd suggest not doing this and live with the fact that your user will have to logon again and start a new session. Better safe than sorry.
我还要补充一些注意事项,如果你的应用程序存储敏感数据(信用卡,财务,医疗等),那么我建议不要这样做,并考虑到你的用户必须再次登录并开始一个新的会话。比抱歉更安全。
#2
"Session cookie" is the clue: when the user closes their browser they are ending their session.
“会话cookie”是线索:当用户关闭他们的浏览器时,他们正在结束他们的会话。
The server timeout exists because the server has no way of knowing that the user ended the session, so it works on the basis that if they don't come back for a while, the session must be over.
服务器超时存在是因为服务器无法知道用户是否结束了会话,因此它的工作原理是,如果他们暂时不回来,则会话必须结束。
If you want a persistent cookie, you'll have to set it yourself; but there's no way of preventing the user from ending their session.
如果你想要一个持久性cookie,你必须自己设置它;但是没有办法阻止用户结束他们的会话。
#3
You can increase the session time out.
您可以增加会话时间。
Session.Timeout[=nMinutes]
http://www.asp101.com/articles/john/sessionsend/default.asp
<%
Response.Cookies("firstname")="Alex"
Response.Cookies("firstname").Expires=#May 10,2012#
%>
Wont this work??
不会这个工作?
#4
Isn't that by design?
这不是设计?
Maybe you want to use a normal cookie instead?
也许你想使用普通的cookie代替?
#5
You need to persist the session cookie as, for security reasons, you can't access the session between browsers (be it two different browsers, or the same one closed and re-opened).
您需要保留会话cookie,因为出于安全原因,您无法访问浏览器之间的会话(无论是两个不同的浏览器,还是同一个关闭并重新打开的浏览器)。
Normally, you would store the details server side and use a client side cookie that contains a simple id to retrieve the information.
通常,您将存储详细信息服务器端并使用包含简单ID的客户端cookie来检索信息。