Simply, I would like a discussion/feedback from any and all on how to do sessions for websites and why to do them that way.

I am preparing to redo the base code for many of the websites I manage. I have always done session management in a very simplistic and limited manner, and now I am looking to others to see what else I could and should do.

Currently, I use several bits of information to pull together an ID. Then, I encrypt that ID and put it in a cookie on the remote browser. I link that ID in a table to a user, a site and/or a state.

This has problems. The URL can not be copied and pasted to send people to the same web *page*. A user who does not/can not allow cookies can not use the site (this is a a major reason to change this). Update - The URL can hold the information for the state in it. Some of that we do just in paths and pages/scripts. Information about state that is server side and linked by a session can not be copied and pasted in the url unless the url contains the session id, so a cookie can not do that.

Recently, I added a kludge to my old method to allow using the URL to hold a session state when cookies are not available. I feel I need to revisit this with a better more permanent solution that can address more end user needs and wants.

Please discuss what you do why you do it, why you think it is better, what the drawbacks of other methods are and how you do it. (or any one of those ;-)

After a while, I will summarize the thread for the site.