Store session variables in a form

[Fernie]

I know that session data can be stored in fat urls and cookies but I am
wondering if it possible to store session data within a form. If so, what
are they called and can someone show me an example of how the html syntax
looks?

Thanks very much,

Fernie

 

[RobM]

I know that session data can be stored in fat urls and cookies but I am
wondering if it possible to store session data within a form. If so, what
are they called and can someone show me an example of how the html syntax
looks?

Thanks very much,

Fernie

Hi - to store data in a form for later retrieval when it is submitted back
(is that what you mean by session variables - as opposed to JSP/ASP server
session variable storage?) - you populate hidden input fields.

<input type="hidden" name="fieldname" value="some_value">

Obviously within your <form>...</form> tags.

This also makes your page and its transmission bigger, a tradeoff with
keeping session variables on the server (whatever server language you're
using).

Cheers
RobM

 

[Fernie]

Hi Rob,

Thank you very much for your response, that was exactly what I was looking
for!

Best Regards,

Fernie

 

[Fernie]

Hi Rob,

Now I'm able to store all session information on the html page without
cookies. Thank you.

Anyway, I was thinking about your reply to me and I'm curious about
something. I don't do much internet development and I don't use anything
fancy like JSP or ASP server (I've been playing around with CGIs).

How do these server platforms identify each anonymous web client? Is it
through some random identifier that is stored on the client? If so, is it a
cookie, a hidden form, a fat url, or any combination? I can see problems
with methods, such as IPs and cookies. I'd guess hidden fields is how an
identifier is stored. Am I way off base?

Thanks again,

Fernie

 

[RobM]

Hi Rob,

Now I'm able to store all session information on the html page without
cookies. Thank you.

Anyway, I was thinking about your reply to me and I'm curious about
something. I don't do much internet development and I don't use anything
fancy like JSP or ASP server (I've been playing around with CGIs).

How do these server platforms identify each anonymous web client? Is it
through some random identifier that is stored on the client? If so, is it a
cookie, a hidden form, a fat url, or any combination? I can see problems
with methods, such as IPs and cookies. I'd guess hidden fields is how an
identifier is stored. Am I way off base?

Thanks again,

Fernie

Hi

I have used a CGI (and am currently converting it) and I bet most people
have never used this one - "powerbuilder" !. It doesnt have inbuilt session
store areas (to keep state) so I save name & values to a database. I put the
key to that table - 1 per new login - (e.g. "session_id") in a hidden field,
as above, on every form page. So, that's a combination as you mention.

Now for the "jsp/asp" mentioned above. I'll mention JSP coz its all I've
used apart from the CGI above. It uses 'URL encoding' - and works like this:
IF the browser can accept cookies, it stores a java session variable in a
cookie and looks after returning and identifying the returning user/session
internally (all done for you). IF again the browser doesnt accept cookies,
then it adds the session id to the URL and again automatically handles it
for you. To ensure this, you do:

<form ... action="<%=response.encodeURL("nextPage")%>" ...> for a form
and...

<a ... href="<%=response.encodeURL("nextPage")%>" ..> for a link/anchor.

I think ASP is probably quite similar, from the commands I've seen.

So you're not off base, and if the CGI you're using doesnt have inbuilt
session objects and such methods, and you dont want to store _most_ user's
session data in a database (only having a hidden field for a key) then yes
you're on the right track.

Back to me brekky...
Cheers
RobM
Melbourne

 

[Andy Dingley]

I don't do much internet development and I don't use anything
fancy like JSP or ASP server (I've been playing around with CGIs).

Fancy ? As a developer, they're a lot less troublesome than CGI. CGI
is minimal, crude and I haven't used it in years. If I am writing Perl
for web back ends, mod_perl is almost always a better idea than CGI.
(I know that CGI doesn't imply formally Perl, but empirically this is
usually true)

How do these server platforms identify each anonymous web client?

As a web developer, you shouldn't need to worry about this. It's very
much something that should be done for you by your middleware. It's a
_hard_ problem - like order processing and credit card handling, most
web developers just aren't competent to do it well and they should be
protected from it.

As you rightly phrase it, web clients are anonymous. HTTP is an
anonymous and non-stateful protocol. Tracking sessions isn't an easy
thing to bolt onto this. Around '97 - '99, just how to track sessions
was an issue of some debate. it wasn't clear just how to do it best,
and developers often needed to do it themselves. There was even some
muttering that it was all HTTP's fault and that it should be
re-engineered to support it.

Some methods are obvious (IP tracking), but unreliable (proxies).
Others, like embedding IDs into URLs, are robust but prone to
spoofing. Cookies are good, but might be disabled. Generally you
should rely on your middleware to worry about this for you - setting a
cookie if it can, munging the URL if it can't. Use that Session
object you're given and don't worry too much about the details. If you
don't have one, change platform until you do.

 

[Fernie]

Andy and Rob,

I'd like to thank both of you for your very interesting and informative
replies. I have a decent handle on sesssion tracking now, I've gone with
the hidden field method and it seems to be working just fine.

One thing that I'll add is in regards to multiple client requests. In my
particular case, the cgi executable handles a single client request at a
time. Therefore, if a multiple clients make simultaneous requests, you end
up with multiple (short lived) processes. Ideally, I should design the
executable as a isapi extension but now you end up having to manage sessions
AND threads, making things more complex for the developer.

Now I see why it is a good reason to choose a robust middleware system. I'm
personally familiar with C++ and that is what I've made my cgi with.
Because of the syntax, would Perl be my best bet? I'd hate to learn new
syntax like PHP, etc. Does Perl provide the session and thread management
features?

Best regards,

Fernie