I use hidden form field, they don't want me to use cookies.
You're hosed if you expect forms to repost on refresh. You either need to embed the session ID in the URL, or convince "them" to let you use cookies.
If you're sure than none of your clients are sitting behind any sort of network address translation (NAT), then you might be able to keep track of session on the server side, by associating them with the client's IP address.
| [reply] |
It's not just NAT that will cause problems like this. If two users access your site using the same proxy server, you'll have the same problem.
Also, a single user's requests within a session may come from different IP addresses. This could be due to users with short-lived DHCP leases (some cable ISPs do this), or users who are accessing your site through a proxy farm or hierarchy of proxies (see section 1.4 of RFC2616).
I'd suggest you only consider using this technique when you know exactly how your users are accessing your site, for example on an Intranet system that you know will never be opened to the outside. Even in these situations, you can never predict future requirements, so use another technique if you can.
| [reply] |