Eternal Debate: Cookies vs. Sessions vs. QueryString

Discussion in 'ASP .Net' started by =?Utf-8?B?UGF1bA==?=, Dec 9, 2005.

  1. Here is a question that should get everyone going.

    I have an ecommerce site where I need to pass the order_id to every page. So
    which method is the best practice to pass this variable between pages:
    Cookies or Session variable or by the HTTP header (either GET querystring or
    POST form)?

    I do not like to use sessions because they time out after 20 minutes of
    inactivity.

    I do not like to use cookies because the user can disable the use of cookies
    through their browser setttings.

    I am not big on the querystring/form method but it looks like it might be
    the safest way to ensure the app will not break.

    Is there a document which talks about the best practice to do this?

    TIA.
     
    =?Utf-8?B?UGF1bA==?=, Dec 9, 2005
    #1
    1. Advertising

  2. =?Utf-8?B?UGF1bA==?=

    zoli Guest

    Paul wrote:
    > Here is a question that should get everyone going.
    >
    > I have an ecommerce site where I need to pass the order_id to every page. So
    > which method is the best practice to pass this variable between pages:
    > Cookies or Session variable or by the HTTP header (either GET querystring or
    > POST form)?
    >
    > I do not like to use sessions because they time out after 20 minutes of
    > inactivity.
    >
    > I do not like to use cookies because the user can disable the use of cookies
    > through their browser setttings.
    >
    > I am not big on the querystring/form method but it looks like it might be
    > the safest way to ensure the app will not break.
    >
    > Is there a document which talks about the best practice to do this?
    >
    > TIA.
     
    zoli, Dec 9, 2005
    #2
    1. Advertising

  3. =?Utf-8?B?UGF1bA==?=

    zoli Guest

    Paul have a look at this (it is from the 3schools site)
    http://www.w3schools.com/asp/asp_cookies.asp

    It might be the answer you are looking for?


    What if a Browser Does NOT Support Cookies?
    ---------------------------------------------------------------------
    If your application deals with browsers that do not support cookies,
    you will have to use other methods to pass information from one page to
    another in your application. There are two ways of doing this:

    1. Add parameters to a URL
    You can add parameters to a URL:

    <a href="welcome.asp?fname=John&lname=Smith">
    Go to Welcome Page</a>

    And retrieve the values in the "welcome.asp" file like this:

    <%
    fname=Request.querystring("fname")
    lname=Request.querystring("lname")
    response.write("<p>Hello " & fname & " " & lname & "!</p>")
    response.write("<p>Welcome to my Web site!</p>")
    %>

    2. Use a form
    You can use a form. The form passes the user input to "welcome.asp"
    when the user clicks on the Submit button:

    <form method="post" action="welcome.asp">
    First Name: <input type="text" name="fname" value="">
    Last Name: <input type="text" name="lname" value="">
    <input type="submit" value="Submit">
    </form>

    Retrieve the values in the "welcome.asp" file like this:

    <%
    fname=Request.form("fname")
    lname=Request.form("lname")
    response.write("<p>Hello " & fname & " " & lname & "!</p>")
    response.write("<p>Welcome to my Web site!</p>")
    %>
     
    zoli, Dec 9, 2005
    #3
  4. Hi Paul,

    Passing an order_id to every page could be a problem, as a hacker could use
    the order_id to perform various types of nefarious operations, depending
    upon how well you defend your app. Cookies can be a problem. Even Session
    Cookies can be a problem, but most browsers allow Session Cookies. I would
    recommend using Session, as it keeps all the private data on the server.
    Just make sure and account for a timed-out Session.

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    You can lead a fish to a bicycle,
    but you can't make it stink.

    "Paul" <> wrote in message
    news:...
    > Here is a question that should get everyone going.
    >
    > I have an ecommerce site where I need to pass the order_id to every page.
    > So
    > which method is the best practice to pass this variable between pages:
    > Cookies or Session variable or by the HTTP header (either GET querystring
    > or
    > POST form)?
    >
    > I do not like to use sessions because they time out after 20 minutes of
    > inactivity.
    >
    > I do not like to use cookies because the user can disable the use of
    > cookies
    > through their browser setttings.
    >
    > I am not big on the querystring/form method but it looks like it might be
    > the safest way to ensure the app will not break.
    >
    > Is there a document which talks about the best practice to do this?
    >
    > TIA.
     
    Kevin Spencer, Dec 9, 2005
    #4
  5. Hi Kevin,

    If it is in web farm, can session be retrieved in different machine?

    Thanks,


    Elton Wang

    "Kevin Spencer" wrote:

    > Hi Paul,
    >
    > Passing an order_id to every page could be a problem, as a hacker could use
    > the order_id to perform various types of nefarious operations, depending
    > upon how well you defend your app. Cookies can be a problem. Even Session
    > Cookies can be a problem, but most browsers allow Session Cookies. I would
    > recommend using Session, as it keeps all the private data on the server.
    > Just make sure and account for a timed-out Session.
    >
    > --
    > HTH,
    >
    > Kevin Spencer
    > Microsoft MVP
    > ..Net Developer
    > You can lead a fish to a bicycle,
    > but you can't make it stink.
    >
    > "Paul" <> wrote in message
    > news:...
    > > Here is a question that should get everyone going.
    > >
    > > I have an ecommerce site where I need to pass the order_id to every page.
    > > So
    > > which method is the best practice to pass this variable between pages:
    > > Cookies or Session variable or by the HTTP header (either GET querystring
    > > or
    > > POST form)?
    > >
    > > I do not like to use sessions because they time out after 20 minutes of
    > > inactivity.
    > >
    > > I do not like to use cookies because the user can disable the use of
    > > cookies
    > > through their browser setttings.
    > >
    > > I am not big on the querystring/form method but it looks like it might be
    > > the safest way to ensure the app will not break.
    > >
    > > Is there a document which talks about the best practice to do this?
    > >
    > > TIA.

    >
    >
    >
     
    =?Utf-8?B?RWx0b24gVw==?=, Dec 9, 2005
    #5
  6. Why are cookies a problem?

    When you say "Make sure you account for a timed-out session", what do you
    mean? If I store the variable in a session variable, and the session times
    out, then I lose the order. Even if I do a check to see if the session timed
    out, it still means that the order will be invalid because I will have lost
    order id?

    I like session variables also but I have a problem with the timeout.

    I think cookies are the best solution, why do you think they are a problem?



    "Kevin Spencer" wrote:

    > Hi Paul,
    >
    > Passing an order_id to every page could be a problem, as a hacker could use
    > the order_id to perform various types of nefarious operations, depending
    > upon how well you defend your app. Cookies can be a problem. Even Session
    > Cookies can be a problem, but most browsers allow Session Cookies. I would
    > recommend using Session, as it keeps all the private data on the server.
    > Just make sure and account for a timed-out Session.
    >
    > --
    > HTH,
    >
    > Kevin Spencer
    > Microsoft MVP
    > ..Net Developer
    > You can lead a fish to a bicycle,
    > but you can't make it stink.
    >
    > "Paul" <> wrote in message
    > news:...
    > > Here is a question that should get everyone going.
    > >
    > > I have an ecommerce site where I need to pass the order_id to every page.
    > > So
    > > which method is the best practice to pass this variable between pages:
    > > Cookies or Session variable or by the HTTP header (either GET querystring
    > > or
    > > POST form)?
    > >
    > > I do not like to use sessions because they time out after 20 minutes of
    > > inactivity.
    > >
    > > I do not like to use cookies because the user can disable the use of
    > > cookies
    > > through their browser setttings.
    > >
    > > I am not big on the querystring/form method but it looks like it might be
    > > the safest way to ensure the app will not break.
    > >
    > > Is there a document which talks about the best practice to do this?
    > >
    > > TIA.

    >
    >
    >
     
    =?Utf-8?B?UGF1bA==?=, Dec 12, 2005
    #6
  7. =?Utf-8?B?UGF1bA==?=

    m.posseth Guest

    Hello Paul ,


    Cookies are a problem in this situation because they have a size limit ( to
    be exact 4096 bytes wich means that you can store a string of 255
    characters max )

    you can extend the session timeout if you feel that 20 minutes inactivity
    ( =default ) is to short to close the session

    what i also do in my programs is storing info in hidden form fields

    see this website for an example how session vars would work
    http://www.bildelskatalogen.se/ ( swedish ,, but it is pretty clear )


    regards

    Michel Posseth [MCP]





    "Paul" <> wrote in message
    news:...
    > Why are cookies a problem?
    >
    > When you say "Make sure you account for a timed-out session", what do you
    > mean? If I store the variable in a session variable, and the session times
    > out, then I lose the order. Even if I do a check to see if the session
    > timed
    > out, it still means that the order will be invalid because I will have
    > lost
    > order id?
    >
    > I like session variables also but I have a problem with the timeout.
    >
    > I think cookies are the best solution, why do you think they are a
    > problem?
    >
    >
    >
    > "Kevin Spencer" wrote:
    >
    >> Hi Paul,
    >>
    >> Passing an order_id to every page could be a problem, as a hacker could
    >> use
    >> the order_id to perform various types of nefarious operations, depending
    >> upon how well you defend your app. Cookies can be a problem. Even Session
    >> Cookies can be a problem, but most browsers allow Session Cookies. I
    >> would
    >> recommend using Session, as it keeps all the private data on the server.
    >> Just make sure and account for a timed-out Session.
    >>
    >> --
    >> HTH,
    >>
    >> Kevin Spencer
    >> Microsoft MVP
    >> ..Net Developer
    >> You can lead a fish to a bicycle,
    >> but you can't make it stink.
    >>
    >> "Paul" <> wrote in message
    >> news:...
    >> > Here is a question that should get everyone going.
    >> >
    >> > I have an ecommerce site where I need to pass the order_id to every
    >> > page.
    >> > So
    >> > which method is the best practice to pass this variable between pages:
    >> > Cookies or Session variable or by the HTTP header (either GET
    >> > querystring
    >> > or
    >> > POST form)?
    >> >
    >> > I do not like to use sessions because they time out after 20 minutes of
    >> > inactivity.
    >> >
    >> > I do not like to use cookies because the user can disable the use of
    >> > cookies
    >> > through their browser setttings.
    >> >
    >> > I am not big on the querystring/form method but it looks like it might
    >> > be
    >> > the safest way to ensure the app will not break.
    >> >
    >> > Is there a document which talks about the best practice to do this?
    >> >
    >> > TIA.

    >>
    >>
    >>
     
    m.posseth, Dec 12, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ike

    Preventing eternal hang

    Ike, Dec 20, 2004, in forum: Java
    Replies:
    1
    Views:
    341
    Andrea Desole
    Dec 20, 2004
  2. hawks26
    Replies:
    1
    Views:
    340
    Mark Rae [MVP]
    Nov 9, 2007
  3. scottymo
    Replies:
    3
    Views:
    711
    Dominick Baier
    Sep 30, 2006
  4. BruceS

    eternal-september & Pan

    BruceS, Aug 27, 2012, in forum: C Programming
    Replies:
    8
    Views:
    479
    Jorgen Grahn
    Aug 28, 2012
  5. Alain Ketterlin
    Replies:
    2
    Views:
    155
    Terry Reedy
    Jan 8, 2013
Loading...

Share This Page