Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

RE: Re: practical aspects of sessions and state

by le (Friar)
on Oct 17, 2000 at 12:09 UTC ( #37107=note: print w/replies, xml ) Need Help??


in reply to Re: practical aspects of sessions and state
in thread practical aspects of sessions and state

I don't see why so many people hate cookies (or advise not to use them).

I have the same problem here, I wrote a webmail app using Apache::Session to keep track of users. The session ID goes back out in a cookie, but all my coworkers said "Why the hell do you use cookies? Use hidden fields!". But sometimes I don't want to set up a FORM tag to provide some action - users can click on a link to read a mail for instance. So, if I put the session ID into the link (to get to it via GET) and someone reads a mail with a link inside (URLs in mails are getting autoconverted to links) and hits the link - voila, the session id is stored on the remote server in the referer log. Ok, this would work only for ten minutes (until the session expires) but that was the way that gmx.de was hacked - 1600 accounts lost their passwords.

Sometimes one doesn't get away without cookies trivially.
  • Comment on RE: Re: practical aspects of sessions and state

Replies are listed 'Best First'.
On using cookies for session management...
by merlyn (Sage) on Oct 17, 2000 at 15:33 UTC
    Hmm. I don't know why you went off on the "cookies" thing. The problem here is that d_i_r_t_y wants to have two parallel conversations within one browser, and you can't do that purely with cookies, because the browser will happily send the identically same cookie to both "session" hits. So you can't use cookies or basic auth, and that means you're stuck with mangled URLs or hidden fields. That, or PSI::ESP, which hasn't been uploaded yet, but I have a feeling it will shortly.

    As for why some people "hate cookies (or advise not to use them)", I can give you my take on that. Cookies used for long-term authentication presume the demonstratably false statement of "one user is one browser", as opposed to session cookies, which I actually consider OK unless it breaks something like in d_i_r_t_y's case.

    In a given day, I'm popping back and forth between three or four browsers, and some of the browsers I use are on other people's machines, especially in internet cafes and such. So if you're crazy enough to use cookies for auth:

    1. be sure to give me a way not to do that if I know I'm in a shared-browser place
    2. time out the cookie at one day or less (in case I forget to "log out" at an internet cafe in the city I just left)
    3. make it very clear that I'm "logged in"
    4. make it very easy to "log out"
    5. make it very easy to "log in" on another browser
    6. make it possible to use the site entirely without cookies for the very paranoid.
    As a good model, look at Amazon. When I'm logged in, at the top of each page it says "If you're not randal, click here". Very clear to me that Amazon thinks my browser is me. And it's easy to log back in on a different browser, and log out on this one. And the site works without cookies at all (if I recall) because they give a session ID in a mangled URL for the particular shopping cart: I just don't get my preferences or "One-Click(tm) Shopping".

    Because of that last point, you've got to provide a mangled URL or hidden field solution anyway. So the easiest way out is to go ahead and presume "no cookies", and then slowly add in to the design a way of having longer term recognition, as long as you stay within the guidelines above.

    -- Randal L. Schwartz, Perl hacker

      Shouldn't the login apply to all windows? Each windows should service the same user, but each should have a different state.

      For example, if I log into perlmonks through one browser window and start browsing, I want to be able to open another and continue browsing under the same identity.

        Yes, and for that you'd use a cookie or basic-auth for the "browser" identity, but mangled URLs or hidden fields for the "window" thread, if needed.

        -- Randal L. Schwartz, Perl hacker

      The problem here is that d_i_r_t_y wants to have two parallel conversations within one browser, and you can't do that purely with cookies, because the browser will happily send the identically same cookie to both "session" hits.

      Well, there are ways around that, if you really, really wanted too, but you'd have to have the server do more work than it should.

      I am definitely in the "both" camp, however: allow for a user to use cookies or not use cookies, as they please. Not that I'd ever use Amazon as an example. :)

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://37107]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (5)
As of 2022-12-07 10:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?