IE6's Selective Cookieing

One of my student had a question about cookies and sessions. He stated that ASP sessions are handled by cookies. It had been a while since I use ASP, but I was sure that sessions were handled by objects created on the server side.

So we proceed to a heated discussion of session and its relationship with cookies. We found that ASP does use server side session objects, but it also requires cookies to be enabled on the browser client side by default.

During this discussion(taken place over many months), I finally did something. I demonstrated that you can actually set IE6 to block all cookies and still use the ASP Session object. I thought this really proved my point (That he was wrong and I was right - This was my downfall).

One week after I demonstrated the ability of IE6 to use sessions with all cookies blocked, this student comes in to class and mentioned something about transient cookies -- a type of cookie that was stored in memory instead of the hard drive.

Well that still does not make it a cookie, because a cookie must be a file that is stored on the client side. He then proceed to download and use Cookie Spy to show me that there was a cookie written to IE6 even after setting it to block all cookies. I told him to try Firefox and he did. The result is that in Firefox, not allowing cookies, also disables ASP sessions.

WOW this really suprisingly unsuprising. We have uncovered a hidden feature implemented by Microsoft to purposefully underminds a functional feature of IE6 that blocks all cookies. The result:

Microsoft Session Objects was able to write a cookie to the client computer using IE6 even after setting IE6 to block all cookies.