We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
SUMMARY
This step-by-step article describes how to improve the performance of your Web server by turning off Active Server Pages (ASP) session state.
The Web server with ASP automatically creates a
Session object when a Web page from the application is requested by a user who does not already have a session. The server destroys the
Session object when the session expires or is abandoned, and when session state is turned off, ASP does not track users and does not permit an ASP script to store information in the
Session object or use the
Session_OnStart or
Session_OnEnd events. These
Session objects consume valuable resources. By turning off sessions, you can improve the performance and scalability of your ASP Web application. You can turn off session state either for the whole Web site or for specific ASP pages.
NOTE: Sessionless applications do not do the following:
- Execute Session_OnStart procedures.
- Send session ID cookies.
- Access built-in Session objects or session scope objects that are created with the <OBJECT> tag.
- Serialize execution with other session requests.
back to the top
Turn Off ASP Session State on an IIS 4.0 Web Site
To turn off sessions for the ASP Web application at the Web site level by using IIS 4.0:
- Click Start, point to Programs, click Windows NT 4.0 Option Pack, click Microsoft Internet Information Server, and then click Internet Service Manager.
- Right-click your Web site, and then click Properties.
- Click the Home Directory tab.
- Click Configuration, and then click the App Options tab.
- Click to clear the Enable Session State check box.
back to the top
Turn Off ASP Session State on an IIS 5.0 Web Site
To turn off sessions for the ASP Web application at the Web site level by using IIS 5.0:
- Click Start, point to Programs, click Administrative Tools, and then click Internet Information Services.
- Right-click your Web site, and then click Properties.
- Click the Home Directory tab.
- Click Configuration, and then click the App Options tab.
- Click to clear the Enable Session State check box.
back to the top
Turn Off ASP Session State on an IIS 5.1 Web Site
To turn off sessions for the ASP Web application at the Web site level by using IIS 5.1:
- Click Start, point to Programs, click Administrative Tools, and then click Internet Information Services.
- Right-click your Web site, and then click Properties.
- Click the Home Directory tab.
- Click Configuration, and then click the Options tab.
- Click to clear the Enable Session State check box.
back to the top
Turn Off ASP Session State on a Specific ASP Page
You may also turn off session state for a specific ASP page by adding the
following directive at the top of the ASP page:
<%@ EnableSessionState=False %>
Note, however, that the session ID cookie is still sent and the
Session_OnStart event still fires if a page with
EnableSessionState=False is requested.
back to the top
REFERENCES
For additional information about how to disable session state, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
306996 HOW TO: Disable ASP Session State in ASP.NET
For additional information about how to disable session state on a Web site with Front Page Server Extensions installed, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
324249 FP: Database Error Messages When Session State Is Disabled
324293 FP: Confirmation Page Appears But No Data Is Added to Database