Coplan has asked for the wisdom of the Perl Monks concerning the following question:
I maintain a website that uses a lot of perl, and depends on cookies. A friend put a bug in my ear and has me considering the idea of doing session management without cookies. The advantage that I see would be that I would not require users to accept cookies to use the website (I imagine cookies still scare some people).
Now I admit, I am not exactly a good perl hacker, and I still have very much to learn. While I did do a search on CPAN, and I found a couple of modules that I may be able to use, I'm still not exactly sure how I need to approach this. For that matter, I'm still not sure if I should.
First of all, should I consider switching to a non-cookie session management system for my website? I'd like to see arguments for or against this (as opposed to useing cookies). Second of all, if anyone has had some experience with this, maybe you could help me better understand what I really need to be learning. While a search on CPAN does yield a great deal on the topic, I'm not sure exactly what I would need.
Thank you for your help.
--Coplan
Re: Maintain Session without Cookies?
by tjh (Curate) on Feb 22, 2002 at 02:42 UTC
|
There are a number of threads here on PM discussing the philosophies and practicalities of State and/or Session management.
I've been into this research in the last week as well, but haven't made any conclusions yet. We use cookies in several sites now, and while over the last 2 years or so cookier-related tech support calls have declined markedly, we'd still like cookie-less solution.
However, some PM threads that have been excellent, useful or informative are:
There are many other mentions of 'state' 'session' 'cookie' etc, via Super Search.Plus, in the last 48 hours, unless I'm hallucinating (which shouldn't be true), I thought I saw a recent release of something (for Apache?) that handles cookie-less state management. However, I can't find it again. Hope the links help with the review of the philosophies and/or methods of cookie-less state. | [reply] |
Re: Maintain Session without Cookies?
by jepri (Parson) on Feb 22, 2002 at 01:06 UTC
|
In general terms, cookies are now accepted everywhere, like visa. Almost every browser has the capability to handle cookies, and most of them have sophisticated ways of making sure that you don't accidentally give cookies to advertisers, even if the adverts appear on a site that is also handing out cookies.
Doing without cookies means embedding a unique number in every link, sort of like: http://mysite.com/cgi-bin/script.cgi?cookienum=32984563298745&action=showpage. Then every time someone clicks a link you extract the number on use it to load the session data. Quite painful, but certainly doable. It also gets worse if you generate a new unique number for each page (people can't press the back button any more).
____________________
Jeremy
I didn't believe in evil until I dated it. | [reply] |
•Re: Maintain Session without Cookies?
by merlyn (Sage) on Feb 22, 2002 at 03:30 UTC
|
| [reply] |
Re: Maintain Session without Cookies?
by Ryszard (Priest) on Feb 22, 2002 at 05:20 UTC
|
I guess one advantage of not using cookies, is you can maintain sessions on devices that do not accept cookies, such as pda's and phones.
The biggest disadvantage is the ease in which a session can be hijacked. If, for example, you cut and paste the URL and email it to another person, they will have your session. Its a rather simplistic example, but is a threat I would consider, especially if you have personal information on your site.
Here is a good article outlining good web session security. It may be a little overkill, but great reading.
Update: To help cover against the hijacking, a different token should be used for every page sent. | [reply] |
|
| [reply] [d/l] |
|
If you embed session the URL, use some common sense:
- if a session shows no activity for 30 minutes, kill the session and start a new one. depending on your site, this may mean asking for a login, or it may mean just cutting a new session key.
- if a session comes in that is "inconsistent" (different browser type, different referrer, etc) with the last session request, kill the session.
- as merlyn says here, make the session key unguessable
While these don't fix the problem completely (eg users coming in from AOL via the same AOL proxy machine might be able to swap sessions if they do it reasonably quickly), they go a long way to reduce it.
nop
| [reply] |
Re: Maintain Session without Cookies?
by mbalex (Beadle) on Feb 23, 2002 at 09:26 UTC
|
I've got access to about 6 accounts because the users had their session_ids in their referer link and went to my page.. *shudder*
use Cookie or die ("too unsecure");
| [reply] |
|
|