3

I maintain a Classic ASP website, hosted on IIS6 (or rather: I'm stuck maintaining it). For some time now I have noticed that Session Cookies are "collecting" in this site:

Proof

I have fiddled with the Application Pool Recycling interval and restarting IIS completely etc. but, somehow, this problem keeps persisting. At first there seems to be only one cookie and even after browsing the site for a while there's still just one cookie. And then, some time later (as in days, weeks) I notice, again, that the cookie contains many ASPSESSIONIDXXX cookies.

I do NOT experience any session-loss or anything; everything works fine and as expected. It's just that my cookie keeps growing with this session garbage. The problem exists across all browsers (indicating a problem in the website/webserver).

I have looked at this question - the website is not in any "webgarden" or app pool with more than one process or on more than one server. There are also no proxy-servers in play or anything.

There's some Session(...) code sprinkled around the project, I've looked at it, but there's nothing strange going on anywhere other than Session("FOO") = bar and bar = Session("FOO").

I'm looking for either:

a) A solution to this problem
b) A workaround: a (decent) way to delete all these cookies except the "current" one

Community
  • 1
  • 1
RobIII
  • 8,488
  • 2
  • 43
  • 93
  • What is your session timeout setting? – John Sep 06 '13 at 11:09
  • We get the same problem - I would also like to know why – Graham Sep 06 '13 at 14:32
  • @John 20 minutes, so (the) default. – RobIII Sep 06 '13 at 14:45
  • Is it causing an actual problem? I agree that it is odd, and that it warrants some investigation, but I wouldn't worry too much if its not causing actual harm to the operation of the site. – AnonJr Sep 06 '13 at 20:39
  • 2
    It's not an actual problem but I *am* investigating. Also, each request a cookie that is 25x the size it should be (or would have to be) is sent which bugs me. – RobIII Sep 06 '13 at 20:55

1 Answers1

0

Note that, no matter what you set as recycling interval, IIS will restart applications after a certain amount of time (a few days usually), and/or after a period of inactivity, and when that happens, session cookies will be lost/regenerated. You can configure IIS (7) to log when an application recycles by selecting the application pool in question and go to 'advanced settings->recycling->generate recycle event log entry', then you'll be able to see in the Event Viewer when/why an application recycled.

Also, in IIS under ASP->Services->Session->New ID on Secure Connection make sure it's false or you'll have different session cookies depending if the page is http or https.

I found this post in which someone coded a workaround to delete those cookies that might help you... http://forums.iis.net/t/1155657.aspx

Rodolfo
  • 4,155
  • 23
  • 38