Life without session variables

Discussion in 'ASP General' started by qaz, Jan 24, 2005.

  1. qaz

    qaz Guest

    I've always used session cookies in my web sites. However, since more and
    more people (including me) are starting to disable cookies, I'm beginning to
    think that I should change my ways and design websites without the use of
    session cookies. I've never done it before, but I understand that we can
    get around the use of session cookies either by writing data to a database
    or by passing data from one page to the next with hidden fields. Can anyone
    point me to a tutorial on "best practices" for how this is done?

    Thanks
     
    qaz, Jan 24, 2005
    #1
    1. Advertising

  2. qaz

    qaz Guest

    Well unfortunately, I want to store things like User ID for persons who are
    logged in and other such things that I would rather not pass on the
    querystring.


    "Steven Burn" <> wrote in message
    news:...
    > If it's just "throw-away" stuff your storing in the session cookies, I'd

    personally reccomend using querystrings instead (wouldn't reccomend
    databases as they're unnecessary for that kind of stuff, and hidden fields
    are just clumsy).
    >
    > For info on using querystrings, see MSDN (Ref: Request.QueryString)
    >
    > --
    >
    > Regards
    >
    > Steven Burn
    > Ur I.T. Mate Group
    > www.it-mate.co.uk
    >
    > Keeping it FREE!
    >
    > "qaz" <> wrote in message

    news:...
    > | I've always used session cookies in my web sites. However, since more

    and
    > | more people (including me) are starting to disable cookies, I'm

    beginning to
    > | think that I should change my ways and design websites without the use

    of
    > | session cookies. I've never done it before, but I understand that we

    can
    > | get around the use of session cookies either by writing data to a

    database
    > | or by passing data from one page to the next with hidden fields. Can

    anyone
    > | point me to a tutorial on "best practices" for how this is done?
    > |
    > | Thanks
    > |
    > |
    >
     
    qaz, Jan 24, 2005
    #2
    1. Advertising

  3. qaz

    Jeff Cochran Guest

    On Sun, 23 Jan 2005 20:07:08 -0600, "qaz" <> wrote:

    >Well unfortunately, I want to store things like User ID for persons who are
    >logged in and other such things that I would rather not pass on the
    >querystring.


    You can use a hidden form, one with only hidden fields, to pass via
    Request.Form which won't show in the query string. Or use session
    variables. Or write to a database record whatever you wish to know
    and retrieve it on every page.

    Jeff

    >"Steven Burn" <> wrote in message
    >news:...
    >> If it's just "throw-away" stuff your storing in the session cookies, I'd

    >personally reccomend using querystrings instead (wouldn't reccomend
    >databases as they're unnecessary for that kind of stuff, and hidden fields
    >are just clumsy).
    >>
    >> For info on using querystrings, see MSDN (Ref: Request.QueryString)
    >>
    >> --
    >>
    >> Regards
    >>
    >> Steven Burn
    >> Ur I.T. Mate Group
    >> www.it-mate.co.uk
    >>
    >> Keeping it FREE!
    >>
    >> "qaz" <> wrote in message

    >news:...
    >> | I've always used session cookies in my web sites. However, since more

    >and
    >> | more people (including me) are starting to disable cookies, I'm

    >beginning to
    >> | think that I should change my ways and design websites without the use

    >of
    >> | session cookies. I've never done it before, but I understand that we

    >can
    >> | get around the use of session cookies either by writing data to a

    >database
    >> | or by passing data from one page to the next with hidden fields. Can

    >anyone
    >> | point me to a tutorial on "best practices" for how this is done?
    >> |
    >> | Thanks
    >> |
    >> |
    >>

    >
     
    Jeff Cochran, Jan 24, 2005
    #3
  4. > Well unfortunately, I want to store things like User ID for persons who
    are
    > logged in and other such things that I would rather not pass on the
    > querystring.


    You have clients that are going to log in to your web site, but they don't
    trust you with session cookies?

    Are there any web sites you know of that you can stay logged into without
    having session cookies enabled?
     
    Aaron [SQL Server MVP], Jan 24, 2005
    #4
  5. qaz

    qaz Guest

    It's not so much an issue of trust as it is having to change security
    settings with which a user may very well be otherwise quite satisfied.
    After all, they do browse to other locations on the web.

    No, I am not aware of other websites that permit logging in without the use
    of session cookies, but then again, I suppose that was really part of the
    question, viz., where can I find a good source of information on "best
    practices" for accomplishing the common task of "persisting" the data from
    page to page without the use of session (or other) cookies.


    "Aaron [SQL Server MVP]" <> wrote in message
    news:...
    > > Well unfortunately, I want to store things like User ID for persons who

    > are
    > > logged in and other such things that I would rather not pass on the
    > > querystring.

    >
    > You have clients that are going to log in to your web site, but they don't
    > trust you with session cookies?
    >
    > Are there any web sites you know of that you can stay logged into without
    > having session cookies enabled?
    >
    >
     
    qaz, Jan 24, 2005
    #5
  6. > No, I am not aware of other websites that permit logging in without the
    use
    > of session cookies, but then again, I suppose that was really part of the
    > question,


    My point was that users who are expecting to log into your site will expect
    session cookies to be required, since they are required at virtually every
    other site out there that requires logging in and saving state. So unless
    this is the first web site they've ever been to, chances are, they're
    already prepared for this big security risk.

    There are kludges and ugly workarounds, of course: e.g.
    http://www.aspfaq.com/2054 and
    http://support.microsoft.com/default.aspx/kb/175167

    But IMHO, you should try the session cookie route first, and see if anybody
    really has a problem with it. My guess is that users aren't going to have
    to suddenly change security settings. For most people, they will already be
    allowing session cookies... even the most paranoid have probably already
    grown tired of clicking through those GUIs every time they find a site they
    value/trust. For the rest, it will be a simple, one-time "add this site to
    trusted" or "allow session cookies on this domain"...
     
    Aaron [SQL Server MVP], Jan 24, 2005
    #6
  7. qaz

    Mark Schupp Guest

    In order to maintain a session an identifier must be passed to the browser
    and returned to every page where you need the session data to be available.
    The most convenient mechanism for this is an in-memory ("session") cookie.

    If you want to avoid session cookies you will need to create a unique
    identifier when the user first logs onto the site and include that
    identifier in every link (or in a form element on every page) that the user
    might use to navigate through the site. Then use the identifier to recover
    session data from a database. An example of a link that supported this would
    be:

    yoursite.com/index.asp?sid=1234

    With a little creative use of custom error pages you should be able to embed
    the id in the URL path as in (you have probably seen sites that do this
    without realizing what it was):

    yoursite.com/1234/index.asp

    You might want to look in to ASP.NET. I believe it has some built-in support
    for cookie-less sessions.

    --
    Mark Schupp
    Head of Development
    Integrity eLearning
    www.ielearning.com


    "qaz" <> wrote in message
    news:%...
    > It's not so much an issue of trust as it is having to change security
    > settings with which a user may very well be otherwise quite satisfied.
    > After all, they do browse to other locations on the web.
    >
    > No, I am not aware of other websites that permit logging in without the

    use
    > of session cookies, but then again, I suppose that was really part of the
    > question, viz., where can I find a good source of information on "best
    > practices" for accomplishing the common task of "persisting" the data from
    > page to page without the use of session (or other) cookies.
    >
    >
    > "Aaron [SQL Server MVP]" <> wrote in message
    > news:...
    > > > Well unfortunately, I want to store things like User ID for persons

    who
    > > are
    > > > logged in and other such things that I would rather not pass on the
    > > > querystring.

    > >
    > > You have clients that are going to log in to your web site, but they

    don't
    > > trust you with session cookies?
    > >
    > > Are there any web sites you know of that you can stay logged into

    without
    > > having session cookies enabled?
    > >
    > >

    >
    >
     
    Mark Schupp, Jan 24, 2005
    #7
  8. Aaron [SQL Server MVP] wrote:
    > Are there any web sites you know of that you can stay logged into
    > without having session cookies enabled?


    This, for one: http://www.amazon.com/

    No cookies or scripting required.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Jan 24, 2005
    #8
  9. And I guess qaz can match the devlopment budget of amazon.com?

    Come on Dave, I provided samples for potential workarounds, but in reality,
    this is just not a very common thing, and I have serious doubts that he will
    lose any customers no matter which approach he takes.






    "Dave Anderson" <> wrote in message
    news:...
    > Aaron [SQL Server MVP] wrote:
    > > Are there any web sites you know of that you can stay logged into
    > > without having session cookies enabled?

    >
    > This, for one: http://www.amazon.com/
    >
    > No cookies or scripting required.
    >
    >
    >
    > --
    > Dave Anderson
    >
    > Unsolicited commercial email will be read at a cost of $500 per message.

    Use
    > of this email address implies consent to these terms. Please do not

    contact
    > me directly or ask me to contact you directly for assistance. If your
    > question is worth asking, it's worth posting.
    >
    >
     
    Aaron [SQL Server MVP], Jan 24, 2005
    #9
  10. Aaron [SQL Server MVP] wrote:
    > And I guess qaz can match the devlopment budget of amazon.com?
    >
    > Come on Dave, I provided samples for potential workarounds, but in
    > reality, this is just not a very common thing, and I have serious
    > doubts that he will lose any customers no matter which approach he
    > takes.


    While I agree that it is perfectly acceptable for an application to require
    cookies, I also recognize that there are several technologies that make
    cookieless sessions straightforward to implement (such as ASP.NET). But you
    are correct to note that ASP is not one of them.

    Amazon's technique differs from the suggestions in KB175167 in that it
    embeds the session ID in the URL, not in the QueryString. This can be
    accomplished in ASP with a custom 404 handler, for example, but it is
    anything but trivial to implement.

    I should know - I have an application that does this exactly.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Jan 24, 2005
    #10
  11. qaz

    Guest

    > Amazon's technique differs from the suggestions in KB175167 in that
    it
    > embeds the session ID in the URL, not in the QueryString. This can be
    > accomplished in ASP with a custom 404 handler, for example, but it is
    > anything but trivial to implement.


    Interesting. Never really noticed this...
    What's the advantage of putting it in the URL rather than the QS?
     
    , Jan 25, 2005
    #11
  12. qaz

    Steven Burn Guest

    Putting it in the URL isn't as "obvious" to those that may want to exploit it.

    --

    Regards

    Steven Burn
    Ur I.T. Mate Group
    www.it-mate.co.uk

    Keeping it FREE!

    <> wrote in message news:...
    | > Amazon's technique differs from the suggestions in KB175167 in that
    | it
    | > embeds the session ID in the URL, not in the QueryString. This can be
    | > accomplished in ASP with a custom 404 handler, for example, but it is
    | > anything but trivial to implement.
    |
    | Interesting. Never really noticed this...
    | What's the advantage of putting it in the URL rather than the QS?
    |
     
    Steven Burn, Jan 25, 2005
    #12
  13. qaz

    Bullschmidt Guest

    <<
    I've always used session cookies in my web sites. However, since more
    and
    more people (including me) are starting to disable cookies, I'm
    beginning to
    think that I should change my ways and design websites without the use
    of
    session cookies. I've never done it before, but I understand that we can
    get around the use of session cookies either by writing data to a
    database
    or by passing data from one page to the next with hidden fields. Can
    anyone
    point me to a tutorial on "best practices" for how this is done?
    >>


    I believe that session variables can still be used even if a user has
    disabled cookies and that is by long querystrings which are
    automatically created.

    But if you want to look into not using session variables here are a
    couple resources:

    Why won't my session variables stick?
    http://www.aspfaq.com/show.asp?id=2157

    Maintaining Session State - 9/20/1998
    http://www.4guysfromrolla.com/webtech/092098-1.shtml

    Pros and Cons of Session Variables - 9/20/1998
    http://www.4guysfromrolla.com/webtech/092098-2.shtml

    Forcing the Session to Close - 10/24/1998
    http://www.4guysfromrolla.com/webtech/102498-3.shtml

    Maintaining Persistent Information on the Web from the book Teach
    Yourself Active Server Pages 3.0 in 21 Days Sample Chapter! by Web
    masters Scott Mitchell and James Atkinson
    http://www.asp101.com/articles/sample_chapters/sams_asp3in21/page1.asp

    Design Strategies for Scalable Active Server Applications by Steve Kirk
    MSDN Content Development Group 8/1997
    http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/techart/msdn
    _aspscale.htm

    Best regards,
    J. Paul Schmidt, Freelance ASP Web Developer
    http://www.Bullschmidt.com
    ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...


    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    Bullschmidt, Jan 26, 2005
    #13
  14. qaz

    qaz Guest

    Thanks for the links. I find this whole idea of "life without session
    variables" very interesting.


    "Bullschmidt" <-nospam> wrote in message
    news:...
    > <<
    > I've always used session cookies in my web sites. However, since more
    > and
    > more people (including me) are starting to disable cookies, I'm
    > beginning to
    > think that I should change my ways and design websites without the use
    > of
    > session cookies. I've never done it before, but I understand that we can
    > get around the use of session cookies either by writing data to a
    > database
    > or by passing data from one page to the next with hidden fields. Can
    > anyone
    > point me to a tutorial on "best practices" for how this is done?
    > >>

    >
    > I believe that session variables can still be used even if a user has
    > disabled cookies and that is by long querystrings which are
    > automatically created.
    >
    > But if you want to look into not using session variables here are a
    > couple resources:
    >
    > Why won't my session variables stick?
    > http://www.aspfaq.com/show.asp?id=2157
    >
    > Maintaining Session State - 9/20/1998
    > http://www.4guysfromrolla.com/webtech/092098-1.shtml
    >
    > Pros and Cons of Session Variables - 9/20/1998
    > http://www.4guysfromrolla.com/webtech/092098-2.shtml
    >
    > Forcing the Session to Close - 10/24/1998
    > http://www.4guysfromrolla.com/webtech/102498-3.shtml
    >
    > Maintaining Persistent Information on the Web from the book Teach
    > Yourself Active Server Pages 3.0 in 21 Days Sample Chapter! by Web
    > masters Scott Mitchell and James Atkinson
    > http://www.asp101.com/articles/sample_chapters/sams_asp3in21/page1.asp
    >
    > Design Strategies for Scalable Active Server Applications by Steve Kirk
    > MSDN Content Development Group 8/1997
    > http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/techart/msdn
    > _aspscale.htm
    >
    > Best regards,
    > J. Paul Schmidt, Freelance ASP Web Developer
    > http://www.Bullschmidt.com
    > ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...
    >
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!
     
    qaz, Jan 26, 2005
    #14
  15. wrote:
    > Interesting. Never really noticed this...
    > What's the advantage of putting it in the URL rather than the QS?


    There are several advantages, but I suppose the biggest is that it embeds
    the session ID in the HTTP_REFERER header for each request (including image
    requests).



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Jan 26, 2005
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Piotr Strycharz

    Life without ViewState

    Piotr Strycharz, Oct 28, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    343
    Piotr Strycharz
    Oct 28, 2003
  2. Shimon Sim

    Life of static variables in ASP.NET 2.0

    Shimon Sim, May 18, 2006, in forum: ASP .Net
    Replies:
    14
    Views:
    6,252
    Kevin Spencer
    May 18, 2006
  3. beginner
    Replies:
    4
    Views:
    263
    beginner
    Oct 23, 2007
  4. Derek Cannon

    Life without Method Overloading?

    Derek Cannon, Apr 19, 2010, in forum: Ruby
    Replies:
    6
    Views:
    113
    Jesús Gabriel y Galán
    Apr 19, 2010
  5. Man-wai Chang

    Imagine life without Javascript...

    Man-wai Chang, Apr 27, 2007, in forum: Javascript
    Replies:
    4
    Views:
    89
Loading...

Share This Page