Eternal Debate: Cookies vs. Sessions vs. QueryString

G

Guest

Here is a question that should get everyone going.

I have an ecommerce site where I need to pass the order_id to every page. So
which method is the best practice to pass this variable between pages:
Cookies or Session variable or by the HTTP header (either GET querystring or
POST form)?

I do not like to use sessions because they time out after 20 minutes of
inactivity.

I do not like to use cookies because the user can disable the use of cookies
through their browser setttings.

I am not big on the querystring/form method but it looks like it might be
the safest way to ensure the app will not break.

Is there a document which talks about the best practice to do this?

TIA.
 
Z

zoli

Paul said:
Here is a question that should get everyone going.

I have an ecommerce site where I need to pass the order_id to every page. So
which method is the best practice to pass this variable between pages:
Cookies or Session variable or by the HTTP header (either GET querystring or
POST form)?

I do not like to use sessions because they time out after 20 minutes of
inactivity.

I do not like to use cookies because the user can disable the use of cookies
through their browser setttings.

I am not big on the querystring/form method but it looks like it might be
the safest way to ensure the app will not break.

Is there a document which talks about the best practice to do this?

TIA.
Click to expand...
 
Z

zoli

Paul have a look at this (it is from the 3schools site)
http://www.w3schools.com/asp/asp_cookies.asp

It might be the answer you are looking for?


What if a Browser Does NOT Support Cookies?
---------------------------------------------------------------------
If your application deals with browsers that do not support cookies,
you will have to use other methods to pass information from one page to
another in your application. There are two ways of doing this:

1. Add parameters to a URL
You can add parameters to a URL:

<a href="welcome.asp?fname=John&lname=Smith">
Go to Welcome Page</a>

And retrieve the values in the "welcome.asp" file like this:

<%
fname=Request.querystring("fname")
lname=Request.querystring("lname")
response.write("<p>Hello " & fname & " " & lname & "!</p>")
response.write("<p>Welcome to my Web site!</p>")
%>

2. Use a form
You can use a form. The form passes the user input to "welcome.asp"
when the user clicks on the Submit button:

<form method="post" action="welcome.asp">
First Name: <input type="text" name="fname" value="">
Last Name: <input type="text" name="lname" value="">
<input type="submit" value="Submit">
</form>

Retrieve the values in the "welcome.asp" file like this:

<%
fname=Request.form("fname")
lname=Request.form("lname")
response.write("<p>Hello " & fname & " " & lname & "!</p>")
response.write("<p>Welcome to my Web site!</p>")
%>
 
K

Kevin Spencer

Hi Paul,

Passing an order_id to every page could be a problem, as a hacker could use
the order_id to perform various types of nefarious operations, depending
upon how well you defend your app. Cookies can be a problem. Even Session
Cookies can be a problem, but most browsers allow Session Cookies. I would
recommend using Session, as it keeps all the private data on the server.
Just make sure and account for a timed-out Session.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.
 
G

Guest

Hi Kevin,

If it is in web farm, can session be retrieved in different machine?

Thanks,


Elton Wang
 
G

Guest

Why are cookies a problem?

When you say "Make sure you account for a timed-out session", what do you
mean? If I store the variable in a session variable, and the session times
out, then I lose the order. Even if I do a check to see if the session timed
out, it still means that the order will be invalid because I will have lost
order id?

I like session variables also but I have a problem with the timeout.

I think cookies are the best solution, why do you think they are a problem?
 
M

m.posseth

Hello Paul ,


Cookies are a problem in this situation because they have a size limit ( to
be exact 4096 bytes wich means that you can store a string of 255
characters max )

you can extend the session timeout if you feel that 20 minutes inactivity
( =default ) is to short to close the session

what i also do in my programs is storing info in hidden form fields

see this website for an example how session vars would work
http://www.bildelskatalogen.se/ ( swedish ,, but it is pretty clear )


regards

Michel Posseth [MCP]
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Python vs "Low Code" solutions for SaaS development 0
ASP.NET Installation Debate 0
ASP.NET Common Usage (Debate Please) 3
Sessions & Cookies 1
programmatically create querystring and update sitemap node 16
Problem with Sessions / Cookies 8
Does Forms Authentication require cookies? 4
LBYL vs EAFP 16

Members online

No members online now.
Total: 41 (members: 1, guests: 40)
Robots: 439

Forum statistics

Threads
473,768
Messages
2,569,575
Members
45,053
Latest member
billing-software

Latest Threads

Top