I've always used session cookies in my web sites. However, since more and
more people (including me) are starting to disable cookies, I'm beginning to
think that I should change my ways and design websites without the use of
session cookies. I've never done it before, but I understand that we can
get around the use of session cookies either by writing data to a database
or by passing data from one page to the next with hidden fields. Can anyone
point me to a tutorial on "best practices" for how this is done?
Thanks 14 1840
Well unfortunately, I want to store things like User ID for persons who are
logged in and other such things that I would rather not pass on the
querystring.
"Steven Burn" <so*******@in-time.invalid> wrote in message
news:O6*************@TK2MSFTNGP12.phx.gbl... If it's just "throw-away" stuff your storing in the session cookies, I'd
personally reccomend using querystrings instead (wouldn't reccomend
databases as they're unnecessary for that kind of stuff, and hidden fields
are just clumsy). For info on using querystrings, see MSDN (Ref: Request.QueryString)
--
Regards
Steven Burn Ur I.T. Mate Group www.it-mate.co.uk
Keeping it FREE!
"qaz" <ng****@uslex.net> wrote in message
news:eL**************@TK2MSFTNGP09.phx.gbl... | I've always used session cookies in my web sites. However, since more
and | more people (including me) are starting to disable cookies, I'm
beginning to | think that I should change my ways and design websites without the use
of | session cookies. I've never done it before, but I understand that we
can | get around the use of session cookies either by writing data to a
database | or by passing data from one page to the next with hidden fields. Can
anyone | point me to a tutorial on "best practices" for how this is done? | | Thanks | |
On Sun, 23 Jan 2005 20:07:08 -0600, "qaz" <ng****@uslex.net> wrote: Well unfortunately, I want to store things like User ID for persons who are logged in and other such things that I would rather not pass on the querystring.
You can use a hidden form, one with only hidden fields, to pass via
Request.Form which won't show in the query string. Or use session
variables. Or write to a database record whatever you wish to know
and retrieve it on every page.
Jeff
"Steven Burn" <so*******@in-time.invalid> wrote in message news:O6*************@TK2MSFTNGP12.phx.gbl... If it's just "throw-away" stuff your storing in the session cookies, I'd personally reccomend using querystrings instead (wouldn't reccomend databases as they're unnecessary for that kind of stuff, and hidden fields are just clumsy). For info on using querystrings, see MSDN (Ref: Request.QueryString)
--
Regards
Steven Burn Ur I.T. Mate Group www.it-mate.co.uk
Keeping it FREE!
"qaz" <ng****@uslex.net> wrote in message
news:eL**************@TK2MSFTNGP09.phx.gbl... | I've always used session cookies in my web sites. However, since more and | more people (including me) are starting to disable cookies, I'm beginning to | think that I should change my ways and design websites without the use of | session cookies. I've never done it before, but I understand that we can | get around the use of session cookies either by writing data to a database | or by passing data from one page to the next with hidden fields. Can anyone | point me to a tutorial on "best practices" for how this is done? | | Thanks | |
> Well unfortunately, I want to store things like User ID for persons who
are logged in and other such things that I would rather not pass on the querystring.
You have clients that are going to log in to your web site, but they don't
trust you with session cookies?
Are there any web sites you know of that you can stay logged into without
having session cookies enabled?
It's not so much an issue of trust as it is having to change security
settings with which a user may very well be otherwise quite satisfied.
After all, they do browse to other locations on the web.
No, I am not aware of other websites that permit logging in without the use
of session cookies, but then again, I suppose that was really part of the
question, viz., where can I find a good source of information on "best
practices" for accomplishing the common task of "persisting" the data from
page to page without the use of session (or other) cookies.
"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:OX**************@TK2MSFTNGP15.phx.gbl... Well unfortunately, I want to store things like User ID for persons who are logged in and other such things that I would rather not pass on the querystring.
You have clients that are going to log in to your web site, but they don't trust you with session cookies?
Are there any web sites you know of that you can stay logged into without having session cookies enabled?
> No, I am not aware of other websites that permit logging in without the
use of session cookies, but then again, I suppose that was really part of the question,
My point was that users who are expecting to log into your site will expect
session cookies to be required, since they are required at virtually every
other site out there that requires logging in and saving state. So unless
this is the first web site they've ever been to, chances are, they're
already prepared for this big security risk.
There are kludges and ugly workarounds, of course: e.g. http://www.aspfaq.com/2054 and http://support.microsoft.com/default.aspx/kb/175167
But IMHO, you should try the session cookie route first, and see if anybody
really has a problem with it. My guess is that users aren't going to have
to suddenly change security settings. For most people, they will already be
allowing session cookies... even the most paranoid have probably already
grown tired of clicking through those GUIs every time they find a site they
value/trust. For the rest, it will be a simple, one-time "add this site to
trusted" or "allow session cookies on this domain"...
In order to maintain a session an identifier must be passed to the browser
and returned to every page where you need the session data to be available.
The most convenient mechanism for this is an in-memory ("session") cookie.
If you want to avoid session cookies you will need to create a unique
identifier when the user first logs onto the site and include that
identifier in every link (or in a form element on every page) that the user
might use to navigate through the site. Then use the identifier to recover
session data from a database. An example of a link that supported this would
be:
yoursite.com/index.asp?sid=1234
With a little creative use of custom error pages you should be able to embed
the id in the URL path as in (you have probably seen sites that do this
without realizing what it was):
yoursite.com/1234/index.asp
You might want to look in to ASP.NET. I believe it has some built-in support
for cookie-less sessions.
--
Mark Schupp
Head of Development
Integrity eLearning www.ielearning.com
"qaz" <ng****@uslex.net> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl... It's not so much an issue of trust as it is having to change security settings with which a user may very well be otherwise quite satisfied. After all, they do browse to other locations on the web.
No, I am not aware of other websites that permit logging in without the
use of session cookies, but then again, I suppose that was really part of the question, viz., where can I find a good source of information on "best practices" for accomplishing the common task of "persisting" the data from page to page without the use of session (or other) cookies.
"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message news:OX**************@TK2MSFTNGP15.phx.gbl... Well unfortunately, I want to store things like User ID for persons
who are logged in and other such things that I would rather not pass on the querystring.
You have clients that are going to log in to your web site, but they
don't trust you with session cookies?
Are there any web sites you know of that you can stay logged into
without having session cookies enabled?
Aaron [SQL Server MVP] wrote: Are there any web sites you know of that you can stay logged into without having session cookies enabled?
This, for one: http://www.amazon.com/
No cookies or scripting required.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
And I guess qaz can match the devlopment budget of amazon.com?
Come on Dave, I provided samples for potential workarounds, but in reality,
this is just not a very common thing, and I have serious doubts that he will
lose any customers no matter which approach he takes.
"Dave Anderson" <GT**********@spammotel.com> wrote in message
news:uH*************@TK2MSFTNGP12.phx.gbl... Aaron [SQL Server MVP] wrote: Are there any web sites you know of that you can stay logged into without having session cookies enabled? This, for one: http://www.amazon.com/
No cookies or scripting required. -- Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message.
Use of this email address implies consent to these terms. Please do not
contact me directly or ask me to contact you directly for assistance. If your question is worth asking, it's worth posting.
Aaron [SQL Server MVP] wrote: And I guess qaz can match the devlopment budget of amazon.com?
Come on Dave, I provided samples for potential workarounds, but in reality, this is just not a very common thing, and I have serious doubts that he will lose any customers no matter which approach he takes.
While I agree that it is perfectly acceptable for an application to require
cookies, I also recognize that there are several technologies that make
cookieless sessions straightforward to implement (such as ASP.NET). But you
are correct to note that ASP is not one of them.
Amazon's technique differs from the suggestions in KB175167 in that it
embeds the session ID in the URL, not in the QueryString. This can be
accomplished in ASP with a custom 404 handler, for example, but it is
anything but trivial to implement.
I should know - I have an application that does this exactly.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
> Amazon's technique differs from the suggestions in KB175167 in that
it embeds the session ID in the URL, not in the QueryString. This can be accomplished in ASP with a custom 404 handler, for example, but it is anything but trivial to implement.
Interesting. Never really noticed this...
What's the advantage of putting it in the URL rather than the QS?
Putting it in the URL isn't as "obvious" to those that may want to exploit it.
--
Regards
Steven Burn
Ur I.T. Mate Group www.it-mate.co.uk
Keeping it FREE!
<la**********@yahoo.com> wrote in message news:11**********************@f14g2000cwb.googlegr oups.com...
| > Amazon's technique differs from the suggestions in KB175167 in that
| it
| > embeds the session ID in the URL, not in the QueryString. This can be
| > accomplished in ASP with a custom 404 handler, for example, but it is
| > anything but trivial to implement.
|
| Interesting. Never really noticed this...
| What's the advantage of putting it in the URL rather than the QS?
|
<<
I've always used session cookies in my web sites. However, since more
and
more people (including me) are starting to disable cookies, I'm
beginning to
think that I should change my ways and design websites without the use
of
session cookies. I've never done it before, but I understand that we can
get around the use of session cookies either by writing data to a
database
or by passing data from one page to the next with hidden fields. Can
anyone
point me to a tutorial on "best practices" for how this is done?
I believe that session variables can still be used even if a user has
disabled cookies and that is by long querystrings which are
automatically created.
But if you want to look into not using session variables here are a
couple resources:
Why won't my session variables stick? http://www.aspfaq.com/show.asp?id=2157
Maintaining Session State - 9/20/1998 http://www.4guysfromrolla.com/webtech/092098-1.shtml
Pros and Cons of Session Variables - 9/20/1998 http://www.4guysfromrolla.com/webtech/092098-2.shtml
Forcing the Session to Close - 10/24/1998 http://www.4guysfromrolla.com/webtech/102498-3.shtml
Maintaining Persistent Information on the Web from the book Teach
Yourself Active Server Pages 3.0 in 21 Days Sample Chapter! by Web
masters Scott Mitchell and James Atkinson http://www.asp101.com/articles/sampl...in21/page1.asp
Design Strategies for Scalable Active Server Applications by Steve Kirk
MSDN Content Development Group 8/1997 http://msdn.microsoft.com/isapi/msdn...y/techart/msdn
_aspscale.htm
Best regards,
J. Paul Schmidt, Freelance ASP Web Developer http://www.Bullschmidt.com
ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Thanks for the links. I find this whole idea of "life without session
variables" very interesting.
"Bullschmidt" <pa**@bullschmidt.com-nospam> wrote in message
news:e6**************@TK2MSFTNGP10.phx.gbl... << I've always used session cookies in my web sites. However, since more and more people (including me) are starting to disable cookies, I'm beginning to think that I should change my ways and design websites without the use of session cookies. I've never done it before, but I understand that we can get around the use of session cookies either by writing data to a database or by passing data from one page to the next with hidden fields. Can anyone point me to a tutorial on "best practices" for how this is done?
I believe that session variables can still be used even if a user has disabled cookies and that is by long querystrings which are automatically created.
But if you want to look into not using session variables here are a couple resources:
Why won't my session variables stick? http://www.aspfaq.com/show.asp?id=2157
Maintaining Session State - 9/20/1998 http://www.4guysfromrolla.com/webtech/092098-1.shtml
Pros and Cons of Session Variables - 9/20/1998 http://www.4guysfromrolla.com/webtech/092098-2.shtml
Forcing the Session to Close - 10/24/1998 http://www.4guysfromrolla.com/webtech/102498-3.shtml
Maintaining Persistent Information on the Web from the book Teach Yourself Active Server Pages 3.0 in 21 Days Sample Chapter! by Web masters Scott Mitchell and James Atkinson http://www.asp101.com/articles/sampl...in21/page1.asp
Design Strategies for Scalable Active Server Applications by Steve Kirk MSDN Content Development Group 8/1997 http://msdn.microsoft.com/isapi/msdn...y/techart/msdn _aspscale.htm
Best regards, J. Paul Schmidt, Freelance ASP Web Developer http://www.Bullschmidt.com ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...
*** Sent via Developersdex http://www.developersdex.com *** Don't just participate in USENET...get rewarded for it! la**********@yahoo.com wrote: Interesting. Never really noticed this... What's the advantage of putting it in the URL rather than the QS?
There are several advantages, but I suppose the biggest is that it embeds
the session ID in the HTTP_REFERER header for each request (including image
requests).
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: cognite |
last post by:
This venue would surely appreciate the cool stuff being done in
python on bioinformatics and python's tools for info parsing and
extraction (like fulltext indexing, xml tools, parser builders,...
|
by: Piotr Strycharz |
last post by:
The life with ViewState is difficult - say 70kB of mess....
The life without View State is very difficult:
1. No access to Field.Value or Field.Text at Page_Load (are empty)
2. No access to...
|
by: jim |
last post by:
Hi All,
I like to know the life cycle of an ASP .NET Application( incudieng server
application, such as .NET Web Service). That means from initialization to
fully running and how to reboot it or...
|
by: tshad |
last post by:
I have been using the default session state (InProc) and have found that I
have been loosing my information after a period of time (normally 20
minutes).
Is there anyway to find out how much...
|
by: xzzy |
last post by:
Using ASP.net, C# and a static class, does the following from MSDN mean:
1. a static hashtable would only live during the session and end when the
session ends
2. there would be a different...
|
by: Sam |
last post by:
I have an asp.net 2.0 app that uses a sitemap, Master Page, and has
several content pages. While this feature has simplified the process of
creating a data-driven site menu, it does seem to have...
|
by: damod.php |
last post by:
what is the life time(min, Max) of session variables,,
I want to know about sessions
whats session what is cookie whts the diff between
where the sessinon stored where the cookie stored
i want...
|
by: Jason |
last post by:
What's the correct term when talking about the life of a variable in
vb.net web?
in a vb.net codebehind for asp.net, is it possible to define a
variable in one sub, and call another sub and...
|
by: sebastiangarth |
last post by:
I need to be able to make a variable persistent between page
invocations without submitting a form or sending it as a name-value
pair in the URL. Another requirement I have is that I can't store...
|
by: DolphinDB |
last post by:
Tired of spending countless mintues downsampling your data? Look no further!
In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: Vimpel783 |
last post by:
Hello!
Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
|
by: jfyes |
last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
|
by: ArrayDB |
last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Defcon1945 |
last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
|
by: Shællîpôpï 09 |
last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
| |