Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re: How do you do sessions in Web Sites

by BUU (Prior)
on Sep 27, 2005 at 20:05 UTC ( [id://495533]=note: print w/replies, xml ) Need Help??


in reply to How do you do sessions in Web Sites

I only know of two real ways to do this.

1) Embedding the session id in the URL:

You can implement this one in two ways, or some combination thereof. The first way is manual, where you assign a template variable to contain the id and manually include it in every URL. This generally sucks from a designer's perspective. The second way is have something that automatically adds it; depending on the languages and technologies you are using, it's usually fairly easy to do, but some things can prevent it.

This technique has several flaws, the most major of which is security. People, in general, don't think of URLs as something to be security concious of and will probably freely share them. If their session id is stored in the url and someone else uses it, they'll probably have access to what ever sensitive data was stored in the session. You can try to prevent this by adding checks based on originating ips of the sessions but that runs the risk of screwing, or at least annoying, people behind a rotating proxy, for example, AOL.

2) The second solution is to just use cookies. They're simple, incredibly easy to use, and already handle all of the above security concerns. The only down side is that occasionally they won't work, but really, the percentage of people who have actually disabled cookies is so small it's probably not worrying about. In general, if they want to use your service and cannot do it with out cookies, they'll turn cookies on.

To summarize, if you just want to track each user on your site much like amazon does, you should probably use session ids in the url. It doesn't need to be secure but does need to work for most everyone. If you have secure data you're protecting via the session id, you probably want cookies, much like amazon does when you actually log in to your account.

Replies are listed 'Best First'.
Re^2: How do you do sessions in Web Sites
by awwaiid (Friar) on Sep 27, 2005 at 22:32 UTC
    3) Put them in a hidden field, and only allow communcication to the server through POST (submitting the form).

    Just for completeness :)

      Just remember that if you use POST for every page, depending on their browser (mis)configuration or browser (mis)behaviour, you will basically break the browser "Back" button.

      It's going to ask the user every time s/he hits "back" with that annoying message, "do you want to re-submit this form?", and the users will probably be confused and not know what to do. :(

        Very good point. On plus side of useability for always-post, you get all the data they are currently working on.

        Imagine a page with navigation bar at the top and a user is filling out the form. Even the navigation bar secretly uses POST buttons/links. Since we always POST, we even get their partially filled form so that when they click 'Home' or something we can ask 'Are you sure you want to leave the form half-completed' and keep all their data and everything.

        But the back button thing does freak people out.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://495533]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having an uproarious good time at the Monastery: (7)
As of 2024-03-28 09:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found