Microsoft KB Archive/244465

= HOW TO: Turn Off ASP Session State in Active Server Pages and IIS =

Article ID: 244465

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Active Server Pages 4.0
 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1

-



This article was previously published under Q244465



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



IN THIS TASK
SUMMARY
 * Turn Off ASP Session State on an IIS 4.0 Web Site
 * Turn Off ASP Session State on an IIS 5.0 Web Site
 * Turn Off ASP Session State on an IIS 5.1 Web Site
 * Turn Off ASP Session State on a Specific ASP Page

REFERENCES



SUMMARY
This step-by-step article describes how to improve the performance of your Web server by turning off Active Server Pages (ASP) session state.

The Web server with ASP automatically creates a Session object when a Web page from the application is requested by a user who does not already have a session. The server destroys the Session object when the session expires or is abandoned, and when session state is turned off, ASP does not track users and does not permit an ASP script to store information in the Session object or use the Session_OnStart or Session_OnEnd events. These Session objects consume valuable resources. By turning off sessions, you can improve the performance and scalability of your ASP Web application. You can turn off session state either for the whole Web site or for specific ASP pages.

NOTE: Sessionless applications do not do the following:
 * Execute Session_OnStart procedures.
 * Send session ID cookies.
 * Access built-in Session objects or session scope objects that are created with the  tag.
 * Serialize execution with other session requests.

back to the top

Turn Off ASP Session State on an IIS 4.0 Web Site
To turn off sessions for the ASP Web application at the Web site level by using IIS 4.0:
 * 1) Click Start, point to Programs, click Windows NT 4.0 Option Pack, click Microsoft Internet Information Server, and then click Internet Service Manager.
 * 2) Right-click your Web site, and then click Properties.
 * 3) Click the Home Directory tab.
 * 4) Click Configuration, and then click the App Options tab.
 * 5) Click to clear the Enable Session State check box.

back to the top

Turn Off ASP Session State on an IIS 5.0 Web Site
To turn off sessions for the ASP Web application at the Web site level by using IIS 5.0:
 * 1) Click Start, point to Programs, click Administrative Tools, and then click Internet Information Services.
 * 2) Right-click your Web site, and then click Properties.
 * 3) Click the Home Directory tab.
 * 4) Click Configuration, and then click the App Options tab.
 * 5) Click to clear the Enable Session State check box.

back to the top

Turn Off ASP Session State on an IIS 5.1 Web Site
To turn off sessions for the ASP Web application at the Web site level by using IIS 5.1:
 * 1) Click Start, point to Programs, click Administrative Tools, and then click Internet Information Services.
 * 2) Right-click your Web site, and then click Properties.
 * 3) Click the Home Directory tab.
 * 4) Click Configuration, and then click the Options tab.
 * 5) Click to clear the Enable Session State check box.

back to the top

Turn Off ASP Session State on a Specific ASP Page
You may also turn off session state for a specific ASP page by adding the following directive at the top of the ASP page: <%@ EnableSessionState=False %> Note, however, that the session ID cookie is still sent and the Session_OnStart event still fires if a page with EnableSessionState=False is requested.

back to the top

