Life without session variables

[qaz]

I've always used session cookies in my web sites. However, since more and
more people (including me) are starting to disable cookies, I'm beginning to
think that I should change my ways and design websites without the use of
session cookies. I've never done it before, but I understand that we can
get around the use of session cookies either by writing data to a database
or by passing data from one page to the next with hidden fields. Can anyone
point me to a tutorial on "best practices" for how this is done?

Thanks

 

[qaz]

Well unfortunately, I want to store things like User ID for persons who are
logged in and other such things that I would rather not pass on the
querystring.

If it's just "throw-away" stuff your storing in the session cookies, I'd

personally reccomend using querystrings instead (wouldn't reccomend
databases as they're unnecessary for that kind of stuff, and hidden fields
are just clumsy).

 

[Jeff Cochran]

Well unfortunately, I want to store things like User ID for persons who are
logged in and other such things that I would rather not pass on the
querystring.

You can use a hidden form, one with only hidden fields, to pass via
Request.Form which won't show in the query string. Or use session
variables. Or write to a database record whatever you wish to know
and retrieve it on every page.

Jeff

 

[Aaron [SQL Server MVP]]

Well unfortunately, I want to store things like User ID for persons who
are

logged in and other such things that I would rather not pass on the
querystring.

You have clients that are going to log in to your web site, but they don't
trust you with session cookies?

Are there any web sites you know of that you can stay logged into without
having session cookies enabled?

 

[qaz]

It's not so much an issue of trust as it is having to change security
settings with which a user may very well be otherwise quite satisfied.
After all, they do browse to other locations on the web.

No, I am not aware of other websites that permit logging in without the use
of session cookies, but then again, I suppose that was really part of the
question, viz., where can I find a good source of information on "best
practices" for accomplishing the common task of "persisting" the data from
page to page without the use of session (or other) cookies.

 

[Aaron [SQL Server MVP]]

No, I am not aware of other websites that permit logging in without the
use

of session cookies, but then again, I suppose that was really part of the
question,

My point was that users who are expecting to log into your site will expect
session cookies to be required, since they are required at virtually every
other site out there that requires logging in and saving state. So unless
this is the first web site they've ever been to, chances are, they're
already prepared for this big security risk.

There are kludges and ugly workarounds, of course: e.g.
http://www.aspfaq.com/2054 and
http://support.microsoft.com/default.aspx/kb/175167

But IMHO, you should try the session cookie route first, and see if anybody
really has a problem with it. My guess is that users aren't going to have
to suddenly change security settings. For most people, they will already be
allowing session cookies... even the most paranoid have probably already
grown tired of clicking through those GUIs every time they find a site they
value/trust. For the rest, it will be a simple, one-time "add this site to
trusted" or "allow session cookies on this domain"...

 

[Mark Schupp]

In order to maintain a session an identifier must be passed to the browser
and returned to every page where you need the session data to be available.
The most convenient mechanism for this is an in-memory ("session") cookie.

If you want to avoid session cookies you will need to create a unique
identifier when the user first logs onto the site and include that
identifier in every link (or in a form element on every page) that the user
might use to navigate through the site. Then use the identifier to recover
session data from a database. An example of a link that supported this would
be:

yoursite.com/index.asp?sid=1234

With a little creative use of custom error pages you should be able to embed
the id in the URL path as in (you have probably seen sites that do this
without realizing what it was):

yoursite.com/1234/index.asp

You might want to look in to ASP.NET. I believe it has some built-in support
for cookie-less sessions.

--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com

 

[Dave Anderson]

Are there any web sites you know of that you can stay logged into
without having session cookies enabled?

This, for one: http://www.amazon.com/

No cookies or scripting required.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

 

[Aaron [SQL Server MVP]]

And I guess qaz can match the devlopment budget of amazon.com?

Come on Dave, I provided samples for potential workarounds, but in reality,
this is just not a very common thing, and I have serious doubts that he will
lose any customers no matter which approach he takes.

 

[Dave Anderson]

And I guess qaz can match the devlopment budget of amazon.com?

Come on Dave, I provided samples for potential workarounds, but in
reality, this is just not a very common thing, and I have serious
doubts that he will lose any customers no matter which approach he
takes.

While I agree that it is perfectly acceptable for an application to require
cookies, I also recognize that there are several technologies that make
cookieless sessions straightforward to implement (such as ASP.NET). But you
are correct to note that ASP is not one of them.

Amazon's technique differs from the suggestions in KB175167 in that it
embeds the session ID in the URL, not in the QueryString. This can be
accomplished in ASP with a custom 404 handler, for example, but it is
anything but trivial to implement.

I should know - I have an application that does this exactly.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

 

[larrybud2002]

Amazon's technique differs from the suggestions in KB175167 in that
it

embeds the session ID in the URL, not in the QueryString. This can be
accomplished in ASP with a custom 404 handler, for example, but it is
anything but trivial to implement.

Interesting. Never really noticed this...
What's the advantage of putting it in the URL rather than the QS?

 

[Steven Burn]

Putting it in the URL isn't as "obvious" to those that may want to exploit it.

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

| > Amazon's technique differs from the suggestions in KB175167 in that
| it
| > embeds the session ID in the URL, not in the QueryString. This can be
| > accomplished in ASP with a custom 404 handler, for example, but it is
| > anything but trivial to implement.
|
| Interesting. Never really noticed this...
| What's the advantage of putting it in the URL rather than the QS?
|

 

[Bullschmidt]

<<
I've always used session cookies in my web sites. However, since more
and
more people (including me) are starting to disable cookies, I'm
beginning to
think that I should change my ways and design websites without the use
of
session cookies. I've never done it before, but I understand that we can
get around the use of session cookies either by writing data to a
database
or by passing data from one page to the next with hidden fields. Can
anyone
point me to a tutorial on "best practices" for how this is done?
I believe that session variables can still be used even if a user has
disabled cookies and that is by long querystrings which are
automatically created.

But if you want to look into not using session variables here are a
couple resources:

Why won't my session variables stick?
http://www.aspfaq.com/show.asp?id=2157

Maintaining Session State - 9/20/1998
http://www.4guysfromrolla.com/webtech/092098-1.shtml

Pros and Cons of Session Variables - 9/20/1998
http://www.4guysfromrolla.com/webtech/092098-2.shtml

Forcing the Session to Close - 10/24/1998
http://www.4guysfromrolla.com/webtech/102498-3.shtml

Maintaining Persistent Information on the Web from the book Teach
Yourself Active Server Pages 3.0 in 21 Days Sample Chapter! by Web
masters Scott Mitchell and James Atkinson
http://www.asp101.com/articles/sample_chapters/sams_asp3in21/page1.asp

Design Strategies for Scalable Active Server Applications by Steve Kirk
MSDN Content Development Group 8/1997
http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/techart/msdn
_aspscale.htm

Best regards,
J. Paul Schmidt, Freelance ASP Web Developer
http://www.Bullschmidt.com
ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...

 

[qaz]

Thanks for the links. I find this whole idea of "life without session
variables" very interesting.

 

[Dave Anderson]

Interesting. Never really noticed this...
What's the advantage of putting it in the URL rather than the QS?

There are several advantages, but I suppose the biggest is that it embeds
the session ID in the HTTP_REFERER header for each request (including image
requests).



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.