Lesson 12: Sessions
When you visit a website, you do a number of different things. You click from one page to another. Perhaps you also fill out a form or purchase a product.
As a web developer, such information is of great importance to developing successful web solutions.
Suppose, for example, that you want to make a site where some pages are protected with login and password. To make this protection effective, the password-protected pages should have access to information on whether the user has logged in at an earlier time. You must, in other words, be able to "remember" what the user did earlier.
This is exactly what this lesson is about - how you can use Sessions in ASP to store and retrieve information during a user's visit to your site.
Session object
The 
Session object allows you to manage information about a user's session. You can write smart applications that can identify and gather information about users.
A session can begin in different ways. We will not go into technical details here but focus on the case where a session starts by a value is being stored in the Session object. A session ends/dies if the user hasn't requested any pages within in a certain timeframe (by the standard 20 minutes). Of course, you can also always end/kill a session in your script.
Let us say, 50 people are clicking around on the same site, eg. a web shop, at the same time. Information on what they each of them have in their shopping cart would best be stored in the Session object. In order to identify the individual users the server uses a unique user ID that is stored in a cookie. A cookie is a small text file stored on the user's computer - more about cookies in lesson 13. Therefore, sessions often require support of cookies in the user's browser.
An example of using sessions
When you requested this page, I stored the current time in a session. I did this so that I can now show you an example of how a session works.
I named the item "StartTime" and stored it by adding the following line in my ASP script:
<% Session ("StartTime") = Now %>
Thereby, a session was started. As described above, each session is given an ID by the server.
Your session has the following ID: ggnefs9fqt4djbvi61p9tofak4
At any time, I can call the "StartTime" from the session by writing:
<% Response.Write Session("StartTime") %>
Which would reveal that the page was requested at 4/25/2024 7:38:09 (according to the clock on this web server).
But what is interesting is that the information remains in the Session object, even after you have left this page. The information will follow you until your session ends.
By default, a session lasts for 20 minutes, then it dies automatically. But if you want a session to last longer or shorter, you can define the desired time in minutes this way:
<% Session.Timeout = 60 %>
In this case, the session will last for 60 minutes before it dies. Too many sessions at the same time overload the server. Therefore, you should not let sessions run longer than necessary.
If you want to stop a session, it can always be killed in this way:
<% Session.Abandon %>
Let us try to look at another example where sessions are used: a password solution.
Login system with sessions
In the following example, we will make a very simple login system. We will use many of the things they have learned in previous lessons.
The first thing we need is a form where people can enter their username and password. It could look like this:
<html> <head> <title>Login</title> </head> <body> <form method="post" action="login.asp"> <p>Username: <input type="text" name="username" /></p> <p>Password: <input type="text" name="password" /></p> <p><input type="submit" value="Let me in" /></p> </form> </body> </html>
Then we create the file login.asp.
In this file, we check whether it is the correct username and password that has been entered. If that is the case, we set a session that says that this user is logged in with the correct username and password.
<html> <head> <title>Login</title> </head> <body> <% ' Check if username and password are correct If Request.Form("username") = "asp" AND Request.Form("password") = "asp" Then ' If correct, we set the session to YES Session("login") = "YES" Session.Timeout = 30 Response.Write "<h1> You are now logged in</h1>" Response.Write "<p><a href='document.asp'>Link to protected file</a> </p>" Else 'If not correct, we set the session to NO Session("login") = "NO" Session.Timeout = 30 Response.Write "<h1>You are NOT logged in</h1>" Response.Write "<p> <a href='document.asp'>Link to protected file</a></p>" End If %> </body> </html>
In the protected files, we want to check whether the user is logged in properly. If this is not the case, the user is sent back to the login form. This is how the protection is made:
<% ' If the user is not logged in ' send him/her to the login form If Session ("login") <>"YES" Then Response.Redirect "form.asp" End If %> <html> <head> <title>Login</title> </head> <body> <h1>This document is protected</h1> <p>You can only see it if you are logged in.</p> </body> </html>
Now you've been introduced to the Session object. In the next lesson we are in same alley and take a closer look at cookies.