Maintain Session without Cookies?

Coplan has asked for the wisdom of the Perl Monks concerning the following question:

I maintain a website that uses a lot of perl, and depends on cookies. A friend put a bug in my ear and has me considering the idea of doing session management without cookies. The advantage that I see would be that I would not require users to accept cookies to use the website (I imagine cookies still scare some people).

Now I admit, I am not exactly a good perl hacker, and I still have very much to learn. While I did do a search on CPAN, and I found a couple of modules that I may be able to use, I'm still not exactly sure how I need to approach this. For that matter, I'm still not sure if I should.

First of all, should I consider switching to a non-cookie session management system for my website? I'd like to see arguments for or against this (as opposed to useing cookies). Second of all, if anyone has had some experience with this, maybe you could help me better understand what I really need to be learning. While a search on CPAN does yield a great deal on the topic, I'm not sure exactly what I would need.

Thank you for your help.

--Coplan

Comment on Maintain Session without Cookies?

Replies are listed 'Best First'.
Re: Maintain Session without Cookies? by tjh (Curate) on Feb 22, 2002 at 02:42 UTC
There are a number of threads here on PM discussing the philosophies and practicalities of State and/or Session management. I've been into this research in the last week as well, but haven't made any conclusions yet. We use cookies in several sites now, and while over the last 2 years or so cookier-related tech support calls have declined markedly, we'd still like cookie-less solution. However, some PM threads that have been excellent, useful or informative are: practical aspects of sessions and state Polling All Monks: Favorite Ways To Maintain State Writing web pages in Perl with sessions Adding "state" to HTTP to save saintmerlyn from having to post this link... :) the best way to implement persistent data across CGI scripts (OT) Security Rant Maintaining state with CGI.pm There are many other mentions of 'state' 'session' 'cookie' etc, via Super Search. Plus, in the last 48 hours, unless I'm hallucinating (which shouldn't be true), I thought I saw a recent release of something (for Apache?) that handles cookie-less state management. However, I can't find it again. Hope the links help with the review of the philosophies and/or methods of cookie-less state.	[reply]
Re: Maintain Session without Cookies? by jepri (Parson) on Feb 22, 2002 at 01:06 UTC
In general terms, cookies are now accepted everywhere, like visa. Almost every browser has the capability to handle cookies, and most of them have sophisticated ways of making sure that you don't accidentally give cookies to advertisers, even if the adverts appear on a site that is also handing out cookies. Doing without cookies means embedding a unique number in every link, sort of like: http://mysite.com/cgi-bin/script.cgi?cookienum=32984563298745&action=showpage. Then every time someone clicks a link you extract the number on use it to load the session data. Quite painful, but certainly doable. It also gets worse if you generate a new unique number for each page (people can't press the back button any more). ____________________ Jeremy I didn't believe in evil until I dated it.	[reply]
•Re: Maintain Session without Cookies? by merlyn (Sage) on Feb 22, 2002 at 03:30 UTC
If you use cookies, be sure to do it right. I saw it done enough times wrong that I had to write a column about it to vent my rants. -- Randal L. Schwartz, Perl hacker	[reply]
Re: Maintain Session without Cookies? by Ryszard (Priest) on Feb 22, 2002 at 05:20 UTC
I guess one advantage of not using cookies, is you can maintain sessions on devices that do not accept cookies, such as pda's and phones. The biggest disadvantage is the ease in which a session can be hijacked. If, for example, you cut and paste the URL and email it to another person, they will have your session. Its a rather simplistic example, but is a threat I would consider, especially if you have personal information on your site. Here is a good article outlining good web session security. It may be a little overkill, but great reading. Update: To help cover against the hijacking, a different token should be used for every page sent.	[reply]
Re: Re: Maintain Session without Cookies? by moodster (Hermit) on Feb 22, 2002 at 12:19 UTC
Well, considering that the contents of the session cookie is sent to the server with each HTTP request, a cookie solution isn't that much secure anyway. If someone monitors your network traffic, hijacking the session is trivial no matter if you are using cookies or not. The only antidote is to connect through an encrypted channel. Granted, it's easy to cut&paste the URL and mail it to someone else, but if you're that eager to compromise your own security you could just as well edit the contents of `cookies.txt`. Cheers, --Moodster	[reply] [d/l]
Re: Re: Maintain Session without Cookies? by nop (Hermit) on Feb 23, 2002 at 15:50 UTC
If you embed session the URL, use some common sense: if a session shows no activity for 30 minutes, kill the session and start a new one. depending on your site, this may mean asking for a login, or it may mean just cutting a new session key. if a session comes in that is "inconsistent" (different browser type, different referrer, etc) with the last session request, kill the session. as merlyn says here, make the session key unguessable While these don't fix the problem completely (eg users coming in from AOL via the same AOL proxy machine might be able to swap sessions if they do it reasonably quickly), they go a long way to reduce it. nop	[reply]
Re: Maintain Session without Cookies? by mbalex (Beadle) on Feb 23, 2002 at 09:26 UTC
I've got access to about 6 accounts because the users had their session_ids in their referer link and went to my page.. shudder use Cookie or die ("too unsecure");	[reply]