Cookie problem Sessionid get doubled

[Christoph Pieper]

Hi,

we've the following problem :

We have an asp-application which sets the cookie on first login. The cookie
will never be touched during user access. The user can work the whole day,
but after 6 to 7 hours, the cookie get 2-4 new asp-sessionid's thus
overwriting the very first entries in the cookie. Does anyone had the same
problem or has a solution. The server is a w2003 enterprise the client has
windows xp sp2.

Regards

Christoph

 

[Ray Costanzo [MVP]]

What are you storing in the cookie? I don't really understand what you're
saying here with the cookie getting 2-4 session IDs.

Ray at work

 

[Christoph Pieper]

Hi,

we store here the user login data , and other important data. this data will
be cleaned out if we get the 3 or 4 new sessionids (and we don't know how
they get there, 'cause we only read the data on a session timeout). so if we
get a session timeout, we could read the data from the cookie again and
restore the session.

Regards

Christoph

 

[Kyle Peterson]

the way your explaining it does not make sense

 

[Mark Schupp]

Do you mean ASP session ids (as in Session.SessionID). That ID will only
change if the browser fails to send the session cookie. IIS will then
generate a new one. It should have no effect on your cookie unless you reset
your cookie data when a new ASP session starts.

Is your cookie a disk cookie (has an expiration date) or a memory cookie (no
expiration date)?

 

[Christoph Pieper]

Hi Mark,

thx for your reply. Yes the sessionID (session.sessionid) is changing and is
written in addition into the cookie. How can this happen since we do only
create in one time. the session does not terminate, and we do not access the
cookie again (tested). Why should the browser fail to send the session cookie
? the cookie has an expiration date of 24hours from login on.

regards

christoph

 

[Mark J. McGinty]

Hi Mark,

thx for your reply. Yes the sessionID (session.sessionid) is changing and
is
written in addition into the cookie. How can this happen since we do only
create in one time. the session does not terminate, and we do not access
the
cookie again (tested). Why should the browser fail to send the session
cookie
? the cookie has an expiration date of 24hours from login on.

You said you don't access the cookie until the session has timed out. At
that point the session ID is invalid to IIS, so it generates another ID for
the new session. The cookie doesn't expire for 24 hours, but the default
ASP session timeout is 20 minutes. So IE is sending all of the session ids
along with the rest of the cookie, it's just that all but one are no longer
meaningful to the server.

If you had a way to to tell which sessionid was older, you might be able to
set the expired one to zero length. Or, when you detect that you've
accumulated too much sessionid baggage, you could expire the cookie, post
the info back to yourself (like with a refresh pragma, or by emitting some
client script) and then create a new cookie out of the info you posted to
yourself.


-Mark