Cookieless, File Based Sessions in ASP.
The TzSessions functions maintain state through the use of flat files and unique ids.
No cookies are used.
No database is used.

View the TzSessions source.

View the example source.

Download the zipped source files.


While creating an ASP 3.0 web application, for use with PDAs, mobile phones, and other wireless devices, I needed a way to maintain session state. Most wireless devices don't accept cookies so I couldn't use the cookie dependent ASP Session object. Also, I didn't have access to a database so I needed another location to store the session variables.

The above constraints lead me to create a few simple functions that will maintain state without the use of cookies or a database.


The trick to maintaining state is passing the unique session id, TzId, from page to page in either in the GET or POST.

<a href="example.asp?TzId=<%=TzId%>">
<input type="hidden" name="TzId" value="<%=TzId%>">

The global Dictionary object, TzSession, is the repository for the session data. Add, remove and access the session data in TzSession using the standard Dictionary object methods and properties.

TzSession("login_id") = "Herten"

A call to TzSessionStart() tries to locate the passed TzId. If the id is found the function reads and then loads the saved session data into the TzSession object. The session data is read from a flat file in the FileSystemObject special temporary folder. Each TzSession creates its own flat file whose name is the same as the TzId.

A call to TzSessionWrite() writes the session data contained in the TzSession object to a flat file.

That's it! No worries, it's simple.


Using these routines to store sensitive data is not secure. Anyone with access to the server can read the session files. The session files are stored in c:\temp or a similar system temporary folder so be careful.


Only strings can be saved in the TzSession. No Arrays or Objects. The routine that writes and reads the contents of the TzSession Dictionary to a file is very simple. It currently only supports the reading and writing of strings. However, it can be enhanced to handle Arrays but probably not Objects.


If you are looking for a more robust ASP 3.0 cookieless session solution then check out the Cookie Munger. It is implemented as an ISAPI filter that modifies the incoming and outgoing byte stream to write and read the necessary information.

ASP.NET has done away with cookie based sessions and now you can just turn on cookieless sessions.

Check the ASP Resource Index, for other cookieless session routines.


  • Microsoft-IIS/5.0
  • ASP 3.0
  • VBScript 5.1.7426

Feedback is welcome. If you enhance the enhance the TzSession functions please let me know. The same goes for bugs. Email