ASP: Sustain Remote Cookie Sessions in an ASP/VBScript

I dug up this cold from my old netnerds blog. For Googlers wondering if sustaining a remote session is possible, the answer is yes; I’ve sustained remote cookie sessions using both ASP & VBScript. I’ve provided simplified code below. It should be self explanatory. If not, drop me a comment and I’ll explain it.

url1 = ""
url2 = ""

data1 = "username=bobby&pass=thepass&submit=Login"

theCookie = httpSessionRequest(1, "POST", url1, data1, noCookie, noViewState)
finalHTML = httpSessionRequest(2, "GET", url2, nodata, theCookie, noViewState)

response.write finalHTML

Function httpSessionRequest(theStep, method, url, data, cookie, viewState)
'FYI, viewstate code has been ripped out.
'Previously, I screenscraped to get the viewstate hidden field for aspx pages.

baseURL = "" 'This is to fix any broken images in the output.

if len(cookie) = 0 then cookie = "dummy=dummy;"
HTTPReferrer = Trim(url)
postVars = Trim(data)

Set XMLHTTP = server.CreateObject("MSXML2.serverXMLHttp") method, Trim(url), false

if UCASE(method) = "POST" Then
XMLHTTP.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
End If
XMLHTTP.SetRequestHeader "Referer", HTTPReferrer 'just in case the server cares
XMLHTTP.setRequestHeader "Cookie", "excuse the Microsoft bug"
XMLHTTP.setRequestHeader "Cookie", cookie

XMLHTTP.send postVars

'wait for response
While XMLHTTP.readyState <> 4
XMLHTTP.waitForResponse 1000
strHeaders = XMLHTTP.getAllResponseHeaders()

hArr = split(strHeaders,"Set-Cookie: ")
for kk = 1 to ubound(hArr)
theCookie = left(hArr(kk),instr(hArr(kk),"path=/")-2)
myCookie = myCookie & " " & theCookie

if len(myCookie) = 0 then mycookie = cookie
sReturn = replace(XMLHTTP.responsetext,"../",baseURL)

if cint(theStep) = 1 then
httpSessionRequest = mycookie
elseif cint(theStep) = 2 then
httpSessionRequest = sReturn
elseif cint(theStep) = 3 then
'You can add stuff here to debug
httpSessionRequest = mycookie
response.write theCookie & "<p>" & mycookie & "<p>" & sReturn  & "<hr /><p>"
end if
set XMLHTTP = nothing

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in IIS, VBScript
20 comments on “ASP: Sustain Remote Cookie Sessions in an ASP/VBScript
  1. shaharyar hafeez says:

    i am shaharyar hafeez from pakistan i have used your code in article “ASP: Sustain Remote Cookie Sessions in an ASP/VBScript”

    this code works well for 2 pages. but when i want to get the third page then i cant aple to maintain session. plz help me if u can.
    i am using the following urls in the code

    url1 = “”

    url2= “”

    url3= “”


    theCookie = httpSessionRequest(1, “GET”, url1,nodata,noCookie, noViewState)

    theCookie = httpSessionRequest(1, “GET”, url2, nodata, theCookie, noViewState)

    finalHTML = httpSessionRequest(2, “Post”, url3, data1, theCookie, noViewState)

    i have tried alot but cant succeed please help me as soon as possible.

    thanks in advance

  2. Chrissy says:

    Hey Shaharyar,
    Your current order is
    theCookie = httpSessionRequest(1, “GET”, url1,nodata,noCookie, noViewState)

    theCookie = httpSessionRequest(1, “GET”, url2, nodata, theCookie, noViewState)

    finalHTML = httpSessionRequest(2, “Post”, url3, data1, theCookie, noViewState)
    Try doing


  3. Tahir Ali says:

    I need some help regarding how to post viewstate using xmlhttp in asp 3.0

  4. raymond says:

    It’s not working on you help me out please?

  5. Bruno says:


    If I understood your code you send a request for url1 and in urls the session will be created, then you call url2 and in there you can access the session created in url1.

    What if i want to create a session in the main page and call serverXMLHTTP, is there a way to do that?
    I mean, whithout using a second url?

    All I want is that the session created in the main page can be accessed in “url”.
    In my case, url will not create another session.

    I tryed to pass the cookie header like this XMLHTTP.setRequestHeader “Cookie”, request.ServerVariables(“HTTP_COOKIE”)
    but no success.

    I would apreciate any help.
    Thanks in advance.

  6. Bruno says:

    To make myself more clear what I want in terms of code is:

    ========MAIN PAGE========

    Dim xmlhttp
    set xmlhttp = CreateObject(“MSXML2.ServerXMLHTTP”) “GET”, “myurl.asp”, false
    session(“myString”) = “blablabla”
    xmlhttp.send “”
    response.write = xmlhttp.responseText
    set xmlhttp = nothing


    response.write session(“myString”)


    The thing is: blablabla doesn’t get writen on main page. All I want is for this to work.

    Sorry about placing to posts for the same thing.

  7. Pete D says:

    Hi Bruno,

    I had a similar need and a similar problem hence me finding this page. I think I’ve found out why it won’t work but it might not help you. Its seems that only one page can have access to a users session space at one time but you (or we) are trying to access it in both pages. As a result the second page hangs while it waits for the firstpage to finish processing and release the session but it can’t as the first page is waiting for the second to finish running…dead lock. Thats whats causing this method to not work. The only way around it I’ve found is to switch off sessions in the first page, the calling page then the second page has access to the session space. Not perfect but it might serve your needs it did mine. You can switch it off by add this line to the top of your page:

    * If you already have a

  8. Steve Shen says:

    Great script! Thanks for sharing!

    One suggestion… Since response headers may not always contain “path=/”, it could be “Path=/”( with capital “P”), make the instr() not case sensitive would be a fix:

    theCookie = left(hArr(kk),instr(hArr(kk),”path=/”)-2)

    change to:

    theCookie = left(hArr(kk),instr(1,hArr(kk),”path=/”,1)-2)

  9. Hi Chrissie – I am trying to get this to work with session variables as
    well as cookies so I’ve got
    xmlhttp.setRequestHeader “Cookie”, “LOGGED=xxxxxxxxxx”
    xmlhttp.setRequestHeader “Cookie”, “MYID=xxxxxxx”

    works fine – however how do I get this to run with session variables
    is it just a case os writing
    xmlhttp.setRequestHeader “Session”, “MYSession=xxxxxxx”

    any help would be really great

    Many thanks


  10. David Luu says:

    Thanx for the info Chrissy! :)

    For anyone interested, I wrapped Chrissy’s method around a slightly different friendly API for VBScript, and for Javascript as well. It might not be perfect but it’s a start. The Javascript version is intended to be cross-platform.

    Web/HTTP Automation Libraries

    I’m thinking of doing ports for .NET and Java as well, if needed.

  11. Ribonix says:

    I need to read this page:[email protected]_out.cfm?cod=310&sq=1186&tipo=AR
    If I delete cookies and I go directly to this link I get Error in page.

    If I go to this link and select OSBER name in the list I go to another page. If I go to Under14 Link in the page I get a correct page.

    How I can modify the code?

    I know that in POST data I put

    Can you help me? Thank You

  12. Antonio says:

    hi Chrissy,
    your script is very useful. I wish to use it to send my vote in a web poll. In order to do that, I need to simulate send data via form.
    I know the URL to the page to vote, but I dont know the URL to the module which stores the vote (in the HTML I got ).
    Is there a way to retrieve the destination URL? Can I send form data using a cookie?


  13. Zsolt says:


    Thank you very much, I have been looking for this piece of code for a while to integrate with an XML parser requiring proper session cookie authentication.

    Best wishes,

  14. HakkanR says:

    hi, i need help about xmlhttp connection a site..
    page have login and password textfield.. but this form elements name are generated Random by server
    for examle when you enter page :
    name=”6100cf004601fc245d21aa880fde8ce3″ id=”tagLogin” type=”text”
    type=”password” maxlength=”10″ name=”83006400c2011c24d821c688ecdf1816″

    if you enter page and delete cookie.. page say you must enter all variables in form.
    if you dont delete cookie.. page login successfully..

    i connect the page with : Msxml2.ServerXMLHTTP.3.0
    and send User-Agent Google Chrome
    and first connection i get the cookie value with that:

    cookie = sender.getResponseHeader(“Set-Cookie”)
    sID = mid(cookie,instr(1,cookie,”=”)+1,instr(1,cookie,”;”)-(instr(1,cookie,”=”)+1))

    Response.Write “Setting Request Header Cookie as: ” & left(cookie,instr(1,cookie,”;”)-1) & “”

    Result: Response Header Cookie = Apache=; path=/; expires=Tue, 18-Sep-12 21:42:49 GMT
    the session closed :(

    and when i connect the page with post and send Form.Name Values.. and send cookie

    sender.setRequestHeader “COOKIE”, left(cookie,instr(1,cookie,”;”)-1)

    but result said: you must enter all values on form. Because my Cookie.timedout and form login names change again..
    can anybody help me that?

  15. Dear Chrissy,

    This is the second time on this project a Google search brought me to a posting from you that is exactly what is needed. Thank you for posting things of this nature. They are a big help to those of us getting into areas we have not trod before. Haven’t tried it yet, but it looks perfect.

    Tom Armstrong

  16. Nicholas Tolbert says:

    Script Works Great :)

  17. Fafhrdd says:

    Is it possible to help me to understand what data1 is for? I am assuming it places the data in the correct fields (user name and password) however I am not completely sure how to enter in the data…

    Do I use the NAME of the text boxes? For example my text box code on my login page is as follows:

    As you can see it is the username… how would I change your code if say my username is Fafhrdd?

    Right now I have replaced your code “username=bobby” with “ctl00$cphBody$Login1$UserName=fafhrdd”

    Does that make sense or am I a complete moron?

  18. ASP says:

    This is nice code. But you could have used Application(Request.ServerVariables("REMOTE_ADDR")&"YOURKEY") and save a delimited string. The user is redirected to the new site and parse the demimited string using Split add the cookies and use Application.Contents.Remove(Request.ServerVariables("REMOTE_ADDR")&"YOURKEY").

Leave a Reply

Your email address will not be published. Required fields are marked *