N342 User Sessions

 Modified

Session variables - One of the fundamental requirements for implementing serious Web-based systems, particularly those involving money or sensitive data, is to distinguish one client from another while apparently handling many clients simultaneously.

The IIS server can automatically maintain unique data for each client in the form of session variables. A server script program can define and manipulate session variables that can hold data independently for each individual client. This provides a useful means to maintain the appearance of state for each user on the server similar to cookies and hidden form variables. In fact, session variables are just automated cookies for which the details of expiration, etc. are handled by the scripting language and server.

So the key advantage of session variables is generally simpler use compared to direct cookie use or other state maintaining mechanisms. The state is managed by the server which can place a time limit on the duration a session can exist with no client activity. This is useful when clients lose interest, fall asleep, disconnects, etc. to be able to forget any uncommitted data entered by the client.

In theory, session variables are not needed since the HTTP 1.0 protocol allows clients to send Keep-Alive messages to keep the connection open. That would allow the Web server and client to complete multiple data exchanges for each connection rather than a single client request and response per connection. With multiple data exchanges, there is no need to maintain state for individual clients in cookies since each connection would have its own set of program variables distinct from other client connections. However, proxy-servers may or may not recognize Keep-Alive requests; session variables, cookies, and methods allow maintaining state in the face of uncertain connections.

Example - Session variables

The project uses a session variable to track the trader.

The session variable is set to the trader's login ID; for example, when Ray logs in, the following is executed:

Login.asp

Session("trader") = "Ray";

Other applications can then access the session variable, for example, the following retrieves the record for Ray:

TraderSummary.asp

rs = conn.Execute( "SELECT * FROM Trader WHERE ID = '" + Session("trader") + "'");

 

What is a Session? - Not a trivial question since it has implications as to how you write or organize applications into directories of CGI, HTML, ASP, etc. files. The definition that Microsoft uses is that a session includes all accesses by the same client to any program in the same virtual directory or subdirectories on the server. A client that accesses two different ASPs, etc. on the same virtual directory would be considered the same session. The accesses can be to different physical subdirectories as long as under the same virtual directory.

Cookies and Sessions - Session variables are maintained as cookies on the client so the client browser must have cookies enabled in order for the server to maintain session variables, otherwise the server sees every access by the same client as a new session when cookies are disabled. The server script can test whether session state is being maintained (i.e. cookies enabled) by:

  1. setting a session variable,

  2. immediately invoke another ASP that tests if the session variable is still defined,

  3. if not defined then most likely the browser isn't accepting cookies.

Global.Asa - On the client opening an ASP script on a virtual directory for the first time (i.e. no cookie is sent by the client), the server first reads the file Global.Asa from the root directory of the same virtual directory as the ASP script. The Global.Asa file would normally contain session timeout limits, initialization, etc.

The example below sets the important Session.Timeout to 1 minute. If the client associated with the session has no activity in 1 minute that causes a call to the Session_OnEnd subroutine in the Global.Asa script by the server, the the session will be undefined by the server which effectively forgets about the client. With a one minute timeout, the session cookie's expiration time is set for one minute later than the current time. When a cookie has expired, it is not returned by the browser. The Session.Timeout default is 20 minutes.

Global.Asa
<Script LANGUAGE = VBScript RUNAT = Server> 

 Sub Session_OnStart
   Session.Timeout = 1          ' End session after 1 minute
   Response.Expires = 0          ' Ensure page is not cached 
   Server.ScriptTimeout = 10    ' Stop server executing script after 10 seconds
   Response.write("<H1>New Session " & Session.SessionID & "</H1>")             ' Will output before cookie header
 End Sub                                                                                                      ' possibly causing error so remove after testing

 Sub Session_OnEnd
  ' Can no longer access client (e.g. Response.Write) but can manage server resources such as database, etc.
 End Sub
</Script>

Points of note

  1. The Global.Asa script is run when the client initially runs any script (i.e. no cookie is sent by the client) on the virtual drive creating a new session.
     
  2. The server writes back to the client a Session.SessionID cookie with an expiration date set to the timeout. A New Session session ID number message appears only once since Session_OnStart is executed only when the first script in a virtual drive is executed for a client.
     
  3. Since the Global.Asa is executed at the beginning of each new session, any ASP scripts run from directories below the Global.Asa file would have the message printed and the parameters set.
     
  4. All session variables are undefined for each new session.
     
  5. Session.SessionID is a variable assigned a unique numerical value (i.e. unique at least until the value rolls over) incremented with each new client access. We will see that it is useful on the server for tracking an individual client.

In the following diagram, there exists a D:\Summer\Courses\A348\Global.Asa file. A virtual directory A348 is mapped to the real directory D:\Summer\Courses\A348 and contains the Global.Asa file. Any ASP scripts run in A348 or sub-directories (i.e. the ASP directory in the figure below right) will use the same D:\Summer\Courses\A348\Global.Asa file.
 

Global.Asa in directory D:\Summer\Courses\A348 and virtual directory A348

Exercise 0 - Global.Asa

  1. Copy and paste the Global.Asa into the real directory of the root-level N342 virtual directory on your server.
    <%@ LANGUAGE = JScript %> 
  2. Copy and paste the ASP at right into the N342 directory. Test. You should see the message New Session ... printed.
  3. Run again. No message should appear.
  4. Wait about one minute for the Session.Timeout to expire. Run again. The SessionID should change.

Note that the IUS Web server does not honor Global.asa files so session timeouts are the default 20 minutes.

 

Determining if Cookies and Session Variables are Enabled

Since session variables are stored on the client as a cookie, cookies must be enabled for cookies and hence, session variables to work. In IE, cookies are controlled through the Internet Tools | Internet Options | Privacy | Advanced panel.

It is important to determine if cookies are enabled on the client before naively using session variables.

However, let's take the naive approach and assume that the Session.SessionID can be used to determine that cookies are enabled on the client since SessionID is maintained as a cookie. The following script tests for Session.SessionID = "" which should occur when cookies are disabled. Running the script several times from a browser with cookies disabled and the above Global.Asa demonstrates that each execution is seen as a new session and a new Session.SessionID is generated.

Not useful since a SessionID is generated each time by the server before running an ASP (or other) program but the SessionID is not accepted by the client when cookies are disabled.

The following erroneously indicates to the server that cookies are always enabled on the client.
 

Bogus Session.SessionID test for Cookies Enabled
<%@ LANGUAGE = JScript %> 
<% if (Session.SessionID == "")
       Response.Write("Cookies Disabled"); 
   else 
       Response.Write("Cookies Enabled"); 
%>

 

Another approach might be to set a session variable and then test if it is the same value later. Unfortunately, the session variable keeps its value for the execution duration of the current ASP script, only being retrieved when the browser accesses another file on the server.

The following erroneously indicates that cookies are always enabled.
 

Bogus Session Variable test for Cookies Enabled
<%@ LANGUAGE = JScript %>
<%
  Session("CookieTest") = 1;
  if(Session("CookieTest") == 1)
     Response.Write ("Cookies Enabled")
  else
     Response.Write ("Cookies Disabled")
%>

 

One might also think the solution is to set a cookie value, then get the same cookie as in the example below; basically the same as the previous example. If the cookie value existed then the client could be assumed to have enabled cookies.

The fly in this ointment, using the ASP Response.Cookies at least, is that the cookie is cached so that Request.Cookies returns the same value of the Response.Cookies; cookies are passed to the browser when the ASP script completes and passed from the browser when the ASP script starts. The client again erroneously reports to have cookies enabled.
 

Bogus Response.Cookies test for Cookies Enabled
<%@ LANGUAGE = JScript %>
<%
  Response.Cookies("CookieTest") = 1;
  if(Request.Cookies("CookieTest") == 1)
    Response.Write ("Cookies Enabled")
  else
    Response.Write ("Cookies Disabled")
%>

 

A test that correctly determines whether cookies are enabled is to set a session variable to a value in one ASP script file and test the same session variable in a different script file for that value. 

Setting the session variable value in one script and testing in another forces the cookie to be passed to the browser at the end of one script and retrieved from the browser at the beginning of the other. When cookies are not enabled on the browser, a Request.Cookies will not return a value for the session variable.

Note in the example below, CookieTest.Asp is executed first to set the session variable, then the Response.Redirect causes the script CookieEnabled.Asp to be executed, there is no return from a redirect to another script.

Valid test for Cookies Enabled
CookieTest.Asp

<%@ LANGUAGE = JScript %>
<%
    Session("CookieTest")=1;
    Response.Redirect ("CookieEnabled.Asp");
%>

 

 CookieEnabled.Asp

<%@ LANGUAGE = JScript %>
<%
  if(Session("CookieTest") == 1)
    Response.Write ("Cookies Enabled")
  else
    Response.Write ("Cookies Disabled")
%>

 

Exercise 1 - Global.Asa and Session Variables

  1. Copy and paste the Global.Asa into the real directory of the root-level N342 virtual directory on your server.
  2. Copy and paste each of the three bogus cookies enabled examples into the N342. Test.
  3. Disable cookies on the browser. In IE, cookies are controlled through the Internet Tools | Internet Options | Privacy | Advanced panel. Disable cookies and test each again.
  4. Copy and paste the CookieTest.Asp and CookieEnabled.Asp immediately above into the N342 virtual directory.
  5. Execute the CookieTest.Asp script from a browser.
    • What is your session number and where on the page was it printed?
    • Are cookies enabled on your browser?
  6. Assuming that cookies were enabled, wait a minute or so and reload the CookieTest.Asp script. Be sure to reload on the browser to force the execution of the script (otherwise you'll get the cached browser results from the last load). Did a time-out occur?
  7. Disable cookies on the browser.
  8. Reload the CookieTest.Asp script from a browser.
    • What is your session number and where was it printed.
    • Are cookies enabled on your browser?
  9. Reload the CookieTest.Asp script immediately again from a browser.
    • What is your session number and where was it printed.
    • Are cookies enabled on your browser?

 

State

The following examples illustrate some simple uses of session variables for maintaining state. There are three examples, the first two are essentially the same in that both use a programmer defined session variable to maintain state.

  1. The first example maintains a visit counter for each client, incrementing the count each time visited within the 1 minute timeout period.
  2. The second example is of a TicTacToe game (albeit a badly played one for simplicity).
  3. A phrase cart (similar to a shoping cart) where the client types in clever phrases that are added to the cart. The phrase cart can also be dumped to empty.

Personal Visit Count -  The ASP script uses a session variable named SessionCounterJScript to keep track of a single user visits. Each user has a unique copy of each session variable that exists for the length of time defined by Session.Timeout, defined in the Global.Asa file or in the ASP script.

A critical step is to initialize the session variable before using its value, since it is initially null. In the counter example, the session variable is incremented, incrementing the variable before initilization would cause a program failure. The test Session("SessionCountJScript") == null ensures that the session variable is correctly initialized whenever a new session is started for the user. In the case that a session times out (after 1 minute with the above Global.Asa) the next visit would be treated as a new session.

The Session.SessionID is a session identifier that can be used over short periods of time to relate a session with other data. In a shopping cart application the session ID could be used to identify the items in a database specific for each cart using the session ID as a database field. Another related use is to purge a database of any data related to a specific session, this is often needed on a session timeout when the session data is no longer valid.

It should be noted that the session ID is not guaranteed unique, that restarting the server would likely reproduce the same session ID at some point for some other user. For that reason, the session ID cannot be used where uniqueness is required, such as the primary key of a database. Relational database systems generally support an autoincrement field that is automatically generated when a new record is inserted into the table that is unique, a unique user login or the concatentation of the session ID with the current time and date can serve as the database key.
 

Using Session Variables to Maintain Individual Visit Count 
Global.Asa - Store in root directory of virtual

<Script LANGUAGE = VBScript RUNAT = Server> 
 Sub Session_OnStart
   Response.Expires = 0           ' Ensure page is not cached 
   Server.ScriptTimeout = 10   ' Stop server after 10 seconds
   Session.Timeout = 1         ' End session after 1 minute
 End Sub

 Sub Session_OnEnd
  ' Can no longer access client but can manage database, etc.
 End Sub
</Script>


What the browser client sends the server

http://localhost/ASP/JCount.ASP


JCount.Asp

<%@ LANGUAGE = JScript %>

 <b>Using Session Variables</b></font><br>
  <%   // If first time a user has visited
          // the page, initialize Session Value
    if (Session("SessionCountJScript") == null)
        Session("SessionCountJScript") = 0;
       // Increment Session variable.
       // Note: Session variable value is only
       // for this user's individual session 
        Session("SessionCountJScript") = 
                Session("SessionCountJScript") + 1;
   %>

You have personally visited this page
  <%= Session("SessionCountJScript") %> times as
   Session ID <%= Session.SessionID %>. 

   <A href = "Jcount.asp"> Click here to visit it again</A>
 

 

Exercise 2 - State

ASP uses the Session object to maintain client state. Create a modulus 4 counter using an ASP and session variables.

  1. Create an ASP file named Exercise2.asp in the same directory as the scripts (e.g. CookieTest.Asp) of Exercise 1. You may want to copy and paste the Jcount.Asp above as a starting point.
  2. Collect the four different image files  (right click on the image to save). Name them "digit0.gif", "digit1.gif", etc. for example.
  3. Define a digit link as an HREFs with an image source of "digit0.gif", "digit1.gif", etc. HREF linking should occur, for example:

    4. <A HREF="Exercise2.asp"><IMG SRC="digit0.gif"></A>
  4. When the digit link is clicked, increment the image displayed to the next image; digit0.gif, digit1.gif, etc. and back to digit0.gif. Use a session variable to count which image is displayed. The modulus operator in JavaScript and PerlScript is %, VBScript is Mod.
  5. With the count displayed , wait about a minute for the session timeout before clicking. What should the result be?

 

 

Exercise 3 - Checking for Cookie Enabled

  1. Modify CookieTest.Asp to redirect to Exercise2.Asp.
  2. Modify Exercise2.Asp to test that the session variable CookieTest is valid.
  3. Execute the CookieTest.Asp to verify that all still works as before when cookies are enabled.

 

Mapping a Session into a Database

Database Implementation of a Phrase Cart - The Phrase Cart allows phrases to be added to a cart, displayed, and the cart emptied by the user. The phrase cart is also emptied automatically when the session times out. The session ID is used to distinguish one set of phrases from another client's by associating all phrases with the client's session ID when the phrase is entered to the data base. New phrases from a client are added to a data base table with the same session ID as others for that session. The client can empty the cart contents (all or none) based upon the session ID. The example also uses redirection from one ASP to another to implement the phrase entry and summary functions, adding phrases, and emptying the cart. There are three ASPs that do the work and one that prints a message when cookies are not enabled.

  1. PhraseCart - Displays the phrases entered for this session. The client can enter a new phrase to the cart or empty the cart. If adding a new phrase, control is redirected to the PhraseAdd.Asp to actually add the phrase with the corresponding session ID. Initializes a session variable SessionCheck to determine whether cookies are accepted.
  2. PhraseAdd - Checks whether SessionCheck is defined, if not redirects control to the CookiesDisabled.Asp, otherwise adds the session ID and phrase to the database table. It then redirects control back to PhraseCart.Asp.
  3. PhraseClear - Empties the phrase cart and redirects control back to PhraseCart.Asp.
  4. CookiesDisabled - A text file that is displayed when cookies are disabled on the client browser.

Note that while the session ID is not used as the primary key of the database table it is used to maintain, update and retrieve table entries.

PhraseCart.Asp

<%@ LANGUAGE = JScript %>
<%
  conn = Server.CreateObject("ADODB.Connection");
  conn.Open ("DRIVER={Microsoft Access Driver (*.mdb)};DBQ=" +
                    Server.MapPath("N342PhraseCart.mdb"));
  Session("SessionCheck") = "Now Defined"
  rs = conn.Execute("SELECT Phrase FROM Phrases WHERE SessionID =" +
                               Session.SessionID + ";")
%>
  <table align="center" cellpadding=0 cellspacing=0>
   <tr> <td align="center" ><H2>Phrase Book Summary</H2>
   </td></tr>
<% if (rs.EOF) {
%>
       <tr><td align="center" >Phrase Book Empty</td>
   </table>
<% } else {
          while( !rs.EOF ) {
%>
     <tr><td align="center"><%=rs("Phrase")%></a></font></td></tr>
<%
             rs.MoveNext();
          }
      }
      rs.Close();
%>
</table>
<form method="post" action="PhraseAdd.asp">
       Enter phrase: <input type=text size=20 name=Phrase>
</form>
<form method="post" action="PhraseClear.asp">
      <input type="submit" value="Clear Phrase Book">
</form>


Database Table definition and phrases for several sessions 

PhraseAdd.Asp

<%@ LANGUAGE = JScript %>
<%
   if( Session("SessionCheck") == null)
       Response.Redirect ("CookiesDisabled.asp");

   conn = Server.CreateObject("ADODB.Connection");
   conn.Open ("DRIVER={Microsoft Access Driver (*.mdb)};DBQ=" +
                      Server.MapPath("N342PhraseCart.mdb"));

   conn.Execute("INSERT into Phrases (SessionID, Phrase) VALUES (" +
                  Session.SessionID + ",'" + Request.Form("Phrase") + "');");

   Response.Redirect("PhraseCart.asp");
%>


PhraseClear.Asp

<%@ LANGUAGE = JScript %>
<%
   if( Session("SessionCheck") == null)
      Response.Redirect( "CookiesDisabled.asp" );

   conn = Server.CreateObject("ADODB.Connection");
   conn.Open ("DRIVER={Microsoft Access Driver (*.mdb)};DBQ=" +
                    Server.MapPath("N342PhraseCart.mdb"));

   conn.Execute("DELETE From Phrases WHERE SessionID =" +
                         Session.SessionID + ";" );

   Response.Redirect ("PhraseCart.asp");
%>


CookiesDisabled.Asp - Contains the following text

      In order to process your phrase a temporary cookie must be assigned.
      Your browser is set to not accept cookies, so this prohibits use
      of the phrase cart. Please configure your browser to accept
      cookies and return.
 
No phrases for this session
After entering two phrases for this session

Ending the Session - Note that no effort is made in the above to remove phrases when the session ends. Since the session ID is still valid when the session ends, this could be done similarly to PhraseClear.Asp but without the cookie check and redirect (which is not valid when the session is ended). The Global.Asa file contains a Session_OnEnd subroutine that is executed by the OnEnd event. The Session.Session_ID value is used to delete all entries for that specific session. The Global.Asa file can be modified to delete session data by:
 

Global.Asa - Store in root directory of virtual directory

<Script LANGUAGE = VBScript RUNAT = Server> 
 Sub Session_OnStart
   Response.Expires = 0         ' Ensure page is not cached 
  Server.ScriptTimeout = 10   ' Stop server after 10 seconds
  Session.Timeout = 1          ' End session after 1 minute
 End Sub

 Sub Session_OnEnd
   SET conn = SERVER.CREATEOBJECT("ADODB.Connection")
   conn.Open ("DRIVER={Microsoft Access Driver (*.mdb)};DBQ=" +
                    Server.MapPath("N342PhraseCart.mdb"));

   conn.Execute( "DELETE From Phrases WHERE SessionID =" & Session.SessionID & ";" )
End Sub
</Script>

Further information - See Visual InterDev Help Index on Session.

 

Exercise 4 - Session and Databases

Make the PhraseCart example work on your server.

  1. Construct an Access database based on the example above for table Phrases with a SessionID and Phrase field. Note that while the SessionID is not used as the primary key of the database table.
  2. Define the database source name of N342PhraseCart.
  3. Use the sample code and Global.Asa above.
  4. Enter several phrases and examine the database table.
  5. Clear the phrase cart and examine the database.
  6. Enter several phrases and examine the database table.
  7. Monitor the database until the timeout time expires.
  8. Trade your URL with the class. Monitor the database as phrases are added and cleared by others.
  9. Disable cookies in the browser and attempt to add a phrase.

TicTacToe 

The same concept of using session variables to maintain user state is applied to the TicTacToe board game. You might recall that the game was examined in some detail as an example of client side programming. The same basic program has been moved to the server side as an ASP using a single session variable named Board that holds the state of the current board for each user. As a client side only program, the client browser held the complete JavaScript  program, though images resided on the server.

In the server side program example below,  the client is initially sent some text and a list of image URLs pointing back to the server that display the board. Empty board positions contain an image (of a blank, empty position) and a link back to the server ASP program. For example:

<A HREF="JTTT.asp?move=2">
   <IMG ALIGN=bottom BORDER=0
     SRC="gameb.gif">
</A>

places a blank position and when clicked will call the server program JTT.ASP with the move=2 to indicate a move of 2 was clicked. The server ASP is then executed, receiving the move=2 from the client.

One critical but somewhat subtle point. The server checks if Session("Board") == null to determine if this is a new session. It also checks Request.QueryString(newGame="New Game?") to determine if an old session needs to initialize the game state. Note that if only the Session("Board") == null were checked the session would have to time out before a new game could be played.

Otherwise the game is programmed nearly identical to the Client-side JavaScript, the document.write of the client program were changed to Response.write of the server, but otherwise the code is unchanged. As in the previous example, the Global.Asa file defines session parameters to the server. If the user doesn't do anything for 1 minute, the session times out and is killed.

You can run this program.
 

TicTacToe Game using URL Data and Session Variable to Maintain Game State 
JTTT.Asp - The server ASP program using session variable to maintain 
                     the state of the game.

<%@ LANGUAGE = JScript %> 
<HTML> 
<HEAD><TITLE>TicTacToe Using<br>Session Variables</TITLE></HEAD>
<BODY BGCOLOR="White"> 
     <H1>TicTacToe Using<br>
         Session Variables</H1>
<%
 if( Request.QueryString("newGame")=="New Game?" || 
     Session("Board")==null)
  newBoard = "012345678";
 else
  newBoard = process(Request.QueryString("move"),
               Session("Board") );  // Session var

 Session("Board") = newBoard;
 display(newBoard);

 function display(board) {
  for (i=0; i<=8; i++) {
   if (board.charAt(i) != 'x' && 
       board.charAt(i) != 'o') {
    Response.write (
        '<A HREF="JTTT.asp?move='+i+'">'); 
    Response.write(
        '<IMG ALIGN=bottom BORDER=0 
              SRC="gameb.gif"></A>');
   }
   else
    Response.write(
        '<IMG ALIGN=bottom SRC="game' +
              board.charAt(i)+'.gif">');
   if (i == 2 || i == 5)
    Response.write(
  '<BR><IMG ALIGN=bottom SRC="gamedh.gif"><BR>')
   else 
    if (i != 8)
     Response.write(
        '<IMG ALIGN=bottom SRC="gamedv.gif">')
  }
 }

 function win(player, board) {
  var wins = "012345678036147258048246";
  for (awin=0; awin<8; awin++) {
   i0 = parseInt(wins.charAt(awin*3));
   i1 = parseInt(wins.charAt(awin*3+1));
   i2 = parseInt(wins.charAt(awin*3+2)); 
   if (board.charAt(i0) == board.charAt(i1) && 
       board.charAt(i1) == board.charAt(i2) ) {
    Response.write('<b>'+player+
                   ' wins!</b><br><br>');
    return true;
   }
  }
  return false;
 }

 function tie(board) {
  for (i=0; i<=8; i++) 
   if (board.charAt(i) != 'x' && 
       board.charAt(i) != 'o')
   return false;
  Response.write('<b>Tie!</b><br><br>');
  return true;
 }

 function place(symbol, move, board) {
  i = parseInt(move);
  if (i >= 0 && i <= 8) 
   if (board.substr(i,1) == move) 
    board = board.substr(0,i) + symbol +
            board.substr(i+1,9-i);
  return board;
 }

 function process(move, oldBoard) { 
  newBoard = place('x', move, oldBoard); // x move 

  if (win("X", newBoard) || tie(newBoard)) return newBoard;

  do {          // Random O move
   oBoard = place('o',
    (Math.round(Math.random()*10)%9), newBoard);
  } while (!win("O", oBoard) && !tie(oBoard) &&
            oBoard == newBoard);

  return oBoard;
}
%>
 <form name=TicTacToe action="JTTT.asp">
  <input type='submit' value='New Game?' name="newGame">
 </form>
</BODY>
</HTML>
 

 What the browser sends the server

http://localhost/ASP/JTTT.asp?move=7

Some of what is sent to the browser - To create
the first row of the TicTacToe board.

<HTML> 
<HEAD>
  <TITLE>TicTacToe Using<br>Session Variables
  </TITLE>
</HEAD>
<BODY BGCOLOR="White">
<H1>TicTacToe Using<br>Session Variables</H1>
<b>O wins! <A HREF="JTTT.asp?newGame=yes">
       New Game?</A></b><br><br>
<IMG ALIGN=bottom SRC="gameO.gif">
<IMG ALIGN=bottom SRC="gamedv.gif">
<IMG ALIGN=bottom SRC="gameX.gif">
<IMG ALIGN=bottom SRC="gamedv.gif">
<A HREF="JTTT.asp?move=2">
   <IMG ALIGN=bottom BORDER=0 
     SRC="gameb.gif">
</A>
<BR><IMG ALIGN=bottom SRC="gamedh.gif">


Browser output