So, no cookies, eh? Check to see whether the unique module is available anyway (assuming you're using Apache).
It sounds to me like all you can get to reidentify an individual is what you can get through vanilla CGI and possibly javascript, and you want security on sessions.
Good luck. You might do OK by making the session ID a combination of IP, user agent string, and any other info you can get from the user's client automatically (see a Javascript reference for that sort of thing) that might differ between different client programs (or different instance of the same client programs). I.e. if you know that if this is a different useragent OR different IP OR different (whatever), you say "sorry, but I can't verify your identity."
Nothing along these lines is going to be perfect in preventing another user 'hijacking' a session ID. (e.g. a computer lab with 25 machines all running IE 5.5 sp 1 on WinNT that access the site via NAT are all going to come out the same on all these criteria, unless there's some unique ID for each copy of the browser program, but even that's going to be vendor-dependent).
I suppose you could use the PIII's ID and an ActiveX control or some such ... =) (j/k)
If this is a real "shopping cart," I'd suggest you reconsider your hosting situation. If it's an exercise, well, nice brain teaser.
Philosophy can be made out of anything. Or less -- Jerry A. Fodor
In reply to Re: Re: The sound of one cookie (not) authenticating
by arturo
in thread The sound of one cookie (not) authenticating
by Hero Zzyzzx
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |