Chapter 36: ASP Session
1. What is the Session Object in Classic ASP?
The Session object is a server-side storage area that is unique for each visitor (or more precisely: for each browser session).
It lets you store data on the server that:
- is automatically tied to one specific user/browser
- survives across multiple page requests
- disappears when the user closes the browser (or after a timeout)
In simple words:
- Cookies store small data on the browser
- Session stores data on the server and gives the browser a secret key (session ID cookie) to access it
Classic ASP creates a Session ID automatically (stored in a cookie named ASPSESSIONIDxxxxxxxx) and uses it to link the browser to its private server-side storage bag.
2. Core Properties & Methods You Must Know
| Property / Method | What it does | Example |
|---|---|---|
| Session(“key”) = value | Store any value (string, number, array, object) | Session(“UserName”) = “Rahul” |
| value = Session(“key”) | Read stored value | name = Session(“UserName”) |
| Session.Contents.Remove(“key”) | Delete one item | Session.Contents.Remove(“Cart”) |
| Session.Contents.RemoveAll | Delete all items in this session | Session.Contents.RemoveAll |
| Session.Abandon | Destroy the entire session immediately | Session.Abandon (logout) |
| Session.Timeout | Minutes before session expires (default 20) | Session.Timeout = 30 |
| Session.SessionID | Read the unique session ID string | For logging/debugging |
3. Basic Example 1 – Simple Login “Remember Me” with Session
File: login.asp
asp
|
0 1 2 3 4 5 6 |
<%@ Language=VBScript %> <% Option Explicit %> <!DOCTYPE html> <html> <body> <h2>Login Page</h2> <% If Request.Form("username") <> "" Then Dim u, p u = Trim(Request.Form("username")) p = Trim(Request.Form("password")) ' Dummy check (in real life: database check) If u = "admin" And p = "secret123" Then Session("LoggedIn") = True Session("UserName") = u Session.Timeout = 60 ' 60 minutes Response.Redirect "welcome.asp" Else Response.Write "<p style='color:red;'>Invalid username or password!</p>" End If End If %> <form method="post" action="login.asp"> Username: <input type="text" name="username"><br> Password: <input type="password" name="password"><br> <input type="submit" value="Login"> </form> </body> </html> |
File: welcome.asp (protected page)
asp
|
0 1 2 3 4 5 6 |
<%@ Language=VBScript %> <% Option Explicit %> <!DOCTYPE html> <html> <body> <% If Session("LoggedIn") <> True Then Response.Redirect "login.asp" End If Response.Write "<h1>Welcome back, " & Server.HTMLEncode(Session("UserName")) & "!</h1>" Response.Write "<p>You are logged in (Session is active).</p>" Response.Write "<p><a href='logout.asp'>Logout</a></p>" %> </body> </html> |
File: logout.asp
asp
|
0 1 2 3 4 5 6 |
<% Session.Abandon Response.Redirect "login.asp" %> |
What happens:
- User logs in → Session variables are set
- Every page checks Session(“LoggedIn”) → redirects if missing
- Logout → Session.Abandon kills the session immediately
4. Example 2 – Shopping Cart Using Session (Very Common Pattern)
asp
|
0 1 2 3 4 5 6 |
<!-- add_to_cart.asp --> <% Dim itemID, qty itemID = Request.QueryString("item") qty = Request.QueryString("qty") If itemID <> "" And IsNumeric(qty) Then qty = CInt(qty) ' Store in Session as dictionary-like If IsEmpty(Session("Cart")) Then Set Session("Cart") = Server.CreateObject("Scripting.Dictionary") End If Session("Cart")(itemID) = qty End If Response.Redirect "cart.asp" %> <!-- cart.asp --> <% Dim total total = 0 If Not IsEmpty(Session("Cart")) Then Dim item, qty %> <table border="1"> <tr><th>Item ID</th><th>Quantity</th></tr> <% For Each item In Session("Cart") qty = Session("Cart")(item) Response.Write "<tr>" Response.Write "<td>" & Server.HTMLEncode(item) & "</td>" Response.Write "<td>" & qty & "</td>" Response.Write "</tr>" total = total + qty * 100 ' dummy price Next %> </table> <p><strong>Total items: <%= Session("Cart").Count %></strong></p> <p><strong>Grand total (dummy): ₹<%= total %></strong></p> <% Else Response.Write "<p>Your cart is empty.</p>" End If %> |
5. Important Security & Best Practice Rules
- Never store sensitive data (passwords, credit cards) in Session — only IDs or tokens
- Use Session.Timeout = 20 (or lower) for security-sensitive apps
- Call Session.Abandon on logout — otherwise session lives until timeout
- Session(“key”) is case-insensitive (UserName = username)
- Use IsEmpty(Session(“key”)) or Session(“key”) = “” to check existence
- Session.Contents.RemoveAll clears all variables but keeps session alive
- In real apps → always combine Session + database check on every page
6. Teacher Summary – ASP Session Object in Classic ASP
ASP Session Object means:
- Server-side storage unique per user/browser
- Set with Session(“key”) = value
- Read with value = Session(“key”)
- Survives across pages until browser closes or Session.Abandon / timeout
- Default timeout 20 minutes — change with Session.Timeout = n
- Can store strings, numbers, arrays, dictionaries, objects
- Used for login state, shopping carts, multi-step wizards, user preferences
- Always check existence before using (If Session(“LoggedIn”) = True Then)
- Never trust Session alone for security — re-validate critical actions against database
This is how millions of websites remembered users, carts, and workflows in the 2000s — and many legacy Indian banking, ERP, government, and small-business systems still use exactly this Session pattern in 2026.
Next class?
- Want a full login + role-based menu using Session + database?
- Or how to store objects/arrays in Session safely?
- Or compare Classic ASP Session vs modern ASP.NET Core Session?
- Or move to the next W3Schools topic (ASP Application Object)?
Just tell me — I’m here! 🚀🇮🇳 Keep learning strong, Webliance! 😊
