Managing Sessions in ASP
This section describes how sessions work in ASP applications, and how you can create and manages sessions.
One of the challenges to developing a successful Web application is maintaining user information over the course of a visit, or session, as the user travels from page to page in an application. HTTP is a stateless protocol, meaning that your Web server treats each HTTP request for a page as an independent request; the server retains no knowledge of previous requests, even if they occurred only seconds prior to a current request. This inability to remember previous requests means that it is this difficult to write applications, such as an online catalog, where the application may need to track the catalog items a user has selected while jumping between the various pages of the catalog.
ASP provides a unique solution for the problem of managing session information. Using the ASP Session Object object and a special user ID generated by your server, you can create clever applications that identify each visiting user and collect information that your application can then use to track user preferences or selections.
ASP shares a pool of session identification cookies between all applications within the same process. A malicious user can manipulate an established session cookie from an application to which they have valid access and use it to gain access to another application within the same process. This can only happen if the session identification cookie is unencrypted. To ensure that never happens, always use Secure Sockets Layer (SSL) with application that use session cookies. For information on configuring SSL for your application, see "Secure Sockets Layer" in IIS Help, which is accessible from IIS Manager.
This section includes the following topics: