Microsoft KB Archive/163010

= How To Disable Cookies That Are Sent by Active Server Pages =

Article ID: 163010

Article Last Modified on 2/10/2006

-

APPLIES TO


 * Microsoft Active Server Pages 4.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q163010



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SUMMARY
Active Server Pages (ASP) uses cookies to track SessionIDs. As a result, the browser is sent a cookie when a new session is created. Typically this occurs the first time a particular client requests an ASP page in your Web application. If Internet Explorer is configured to "Warn before accepting cookies," you will see a warning dialog box when this SessionID cookie is sent to the browser. This article explains how to prevent ASP from sending these cookies.

NOTE: Disabling SessionID cookies is not recommended because it seriously limits the functionality of Active Server Pages.



MORE INFORMATION
Active Server Pages provides a configurable registry setting that can be used to disable Session State. The following registry value controls Session State:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \W3SVC\ASP\Parameters\AllowSessionState

If you set AllowSessionState to 0, ASP no longer sends SessionID cookies to the browser.

WARNING: Setting AllowSessionState to 0 disables the use of sessions in your Web application. This means that you will not be able to store or retrieve session variables. If your Web application uses session variables, as most do, your pages will no longer function properly. In addition, you will encounter scripting errors in the server-side scripts, which use session variables.

