Fixing Classic ASP Session Loss When Redirecting from HTTP to HTTPS
Classic ASP applications may lose session data when redirecting users from an HTTP page to an HTTPS page. This is caused by IIS creating a new session ID when switching to a secure connection.
Although Classic ASP is considered legacy technology, this issue can still affect applications running on modern versions of Windows Server and IIS.
Affected platforms
- Windows Server 2008, 2012, 2016, 2019, and 2022
- IIS 7 and later
- Classic ASP applications
How to prevent session loss
- Open IIS Manager.
- Select your website in the left-hand tree.
- In the Features View, double-click ASP.
- Expand Session Properties.
- Ensure Enable Session State is set to True.
- Set New ID on Secure Connection to False.
- Click Apply to save the changes.
Explanation: When "New ID on Secure Connection" is enabled, IIS issues a new ASP session ID when switching from HTTP to HTTPS, which causes session variables to be lost.
Additional recommendations
- Redirect users to HTTPS as early as possible in the session.
- Avoid mixing HTTP and HTTPS within the same session where possible.
- Ensure cookies are allowed in the browser, as ASP sessions rely on cookies.
Note: For new development, Microsoft recommends using modern frameworks instead of Classic ASP. If possible, consider migrating to ASP.NET or another supported platform.