473,322 Members | 1,719 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Life without session variables

qaz
I've always used session cookies in my web sites. However, since more and
more people (including me) are starting to disable cookies, I'm beginning to
think that I should change my ways and design websites without the use of
session cookies. I've never done it before, but I understand that we can
get around the use of session cookies either by writing data to a database
or by passing data from one page to the next with hidden fields. Can anyone
point me to a tutorial on "best practices" for how this is done?

Thanks
Jul 22 '05 #1
14 1840
qaz
Well unfortunately, I want to store things like User ID for persons who are
logged in and other such things that I would rather not pass on the
querystring.
"Steven Burn" <so*******@in-time.invalid> wrote in message
news:O6*************@TK2MSFTNGP12.phx.gbl...
If it's just "throw-away" stuff your storing in the session cookies, I'd personally reccomend using querystrings instead (wouldn't reccomend
databases as they're unnecessary for that kind of stuff, and hidden fields
are just clumsy).
For info on using querystrings, see MSDN (Ref: Request.QueryString)

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"qaz" <ng****@uslex.net> wrote in message news:eL**************@TK2MSFTNGP09.phx.gbl... | I've always used session cookies in my web sites. However, since more and | more people (including me) are starting to disable cookies, I'm beginning to | think that I should change my ways and design websites without the use of | session cookies. I've never done it before, but I understand that we can | get around the use of session cookies either by writing data to a database | or by passing data from one page to the next with hidden fields. Can anyone | point me to a tutorial on "best practices" for how this is done?
|
| Thanks
|
|

Jul 22 '05 #2
On Sun, 23 Jan 2005 20:07:08 -0600, "qaz" <ng****@uslex.net> wrote:
Well unfortunately, I want to store things like User ID for persons who are
logged in and other such things that I would rather not pass on the
querystring.
You can use a hidden form, one with only hidden fields, to pass via
Request.Form which won't show in the query string. Or use session
variables. Or write to a database record whatever you wish to know
and retrieve it on every page.

Jeff
"Steven Burn" <so*******@in-time.invalid> wrote in message
news:O6*************@TK2MSFTNGP12.phx.gbl...
If it's just "throw-away" stuff your storing in the session cookies, I'd

personally reccomend using querystrings instead (wouldn't reccomend
databases as they're unnecessary for that kind of stuff, and hidden fields
are just clumsy).

For info on using querystrings, see MSDN (Ref: Request.QueryString)

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"qaz" <ng****@uslex.net> wrote in message

news:eL**************@TK2MSFTNGP09.phx.gbl...
| I've always used session cookies in my web sites. However, since more

and
| more people (including me) are starting to disable cookies, I'm

beginning to
| think that I should change my ways and design websites without the use

of
| session cookies. I've never done it before, but I understand that we

can
| get around the use of session cookies either by writing data to a

database
| or by passing data from one page to the next with hidden fields. Can

anyone
| point me to a tutorial on "best practices" for how this is done?
|
| Thanks
|
|


Jul 22 '05 #3
> Well unfortunately, I want to store things like User ID for persons who
are
logged in and other such things that I would rather not pass on the
querystring.


You have clients that are going to log in to your web site, but they don't
trust you with session cookies?

Are there any web sites you know of that you can stay logged into without
having session cookies enabled?
Jul 22 '05 #4
qaz
It's not so much an issue of trust as it is having to change security
settings with which a user may very well be otherwise quite satisfied.
After all, they do browse to other locations on the web.

No, I am not aware of other websites that permit logging in without the use
of session cookies, but then again, I suppose that was really part of the
question, viz., where can I find a good source of information on "best
practices" for accomplishing the common task of "persisting" the data from
page to page without the use of session (or other) cookies.
"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:OX**************@TK2MSFTNGP15.phx.gbl...
Well unfortunately, I want to store things like User ID for persons who

are
logged in and other such things that I would rather not pass on the
querystring.


You have clients that are going to log in to your web site, but they don't
trust you with session cookies?

Are there any web sites you know of that you can stay logged into without
having session cookies enabled?

Jul 22 '05 #5
> No, I am not aware of other websites that permit logging in without the
use
of session cookies, but then again, I suppose that was really part of the
question,


My point was that users who are expecting to log into your site will expect
session cookies to be required, since they are required at virtually every
other site out there that requires logging in and saving state. So unless
this is the first web site they've ever been to, chances are, they're
already prepared for this big security risk.

There are kludges and ugly workarounds, of course: e.g.
http://www.aspfaq.com/2054 and
http://support.microsoft.com/default.aspx/kb/175167

But IMHO, you should try the session cookie route first, and see if anybody
really has a problem with it. My guess is that users aren't going to have
to suddenly change security settings. For most people, they will already be
allowing session cookies... even the most paranoid have probably already
grown tired of clicking through those GUIs every time they find a site they
value/trust. For the rest, it will be a simple, one-time "add this site to
trusted" or "allow session cookies on this domain"...
Jul 22 '05 #6
In order to maintain a session an identifier must be passed to the browser
and returned to every page where you need the session data to be available.
The most convenient mechanism for this is an in-memory ("session") cookie.

If you want to avoid session cookies you will need to create a unique
identifier when the user first logs onto the site and include that
identifier in every link (or in a form element on every page) that the user
might use to navigate through the site. Then use the identifier to recover
session data from a database. An example of a link that supported this would
be:

yoursite.com/index.asp?sid=1234

With a little creative use of custom error pages you should be able to embed
the id in the URL path as in (you have probably seen sites that do this
without realizing what it was):

yoursite.com/1234/index.asp

You might want to look in to ASP.NET. I believe it has some built-in support
for cookie-less sessions.

--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"qaz" <ng****@uslex.net> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...
It's not so much an issue of trust as it is having to change security
settings with which a user may very well be otherwise quite satisfied.
After all, they do browse to other locations on the web.

No, I am not aware of other websites that permit logging in without the use of session cookies, but then again, I suppose that was really part of the
question, viz., where can I find a good source of information on "best
practices" for accomplishing the common task of "persisting" the data from
page to page without the use of session (or other) cookies.
"Aaron [SQL Server MVP]" <te*****@dnartreb.noraa> wrote in message
news:OX**************@TK2MSFTNGP15.phx.gbl...
Well unfortunately, I want to store things like User ID for persons
who are
logged in and other such things that I would rather not pass on the
querystring.


You have clients that are going to log in to your web site, but they don't trust you with session cookies?

Are there any web sites you know of that you can stay logged into without having session cookies enabled?


Jul 22 '05 #7
Aaron [SQL Server MVP] wrote:
Are there any web sites you know of that you can stay logged into
without having session cookies enabled?


This, for one: http://www.amazon.com/

No cookies or scripting required.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Jul 22 '05 #8
And I guess qaz can match the devlopment budget of amazon.com?

Come on Dave, I provided samples for potential workarounds, but in reality,
this is just not a very common thing, and I have serious doubts that he will
lose any customers no matter which approach he takes.


"Dave Anderson" <GT**********@spammotel.com> wrote in message
news:uH*************@TK2MSFTNGP12.phx.gbl...
Aaron [SQL Server MVP] wrote:
Are there any web sites you know of that you can stay logged into
without having session cookies enabled?
This, for one: http://www.amazon.com/

No cookies or scripting required.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message.

Use of this email address implies consent to these terms. Please do not contact me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

Jul 22 '05 #9
Aaron [SQL Server MVP] wrote:
And I guess qaz can match the devlopment budget of amazon.com?

Come on Dave, I provided samples for potential workarounds, but in
reality, this is just not a very common thing, and I have serious
doubts that he will lose any customers no matter which approach he
takes.


While I agree that it is perfectly acceptable for an application to require
cookies, I also recognize that there are several technologies that make
cookieless sessions straightforward to implement (such as ASP.NET). But you
are correct to note that ASP is not one of them.

Amazon's technique differs from the suggestions in KB175167 in that it
embeds the session ID in the URL, not in the QueryString. This can be
accomplished in ASP with a custom 404 handler, for example, but it is
anything but trivial to implement.

I should know - I have an application that does this exactly.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Jul 22 '05 #10
> Amazon's technique differs from the suggestions in KB175167 in that
it
embeds the session ID in the URL, not in the QueryString. This can be
accomplished in ASP with a custom 404 handler, for example, but it is
anything but trivial to implement.


Interesting. Never really noticed this...
What's the advantage of putting it in the URL rather than the QS?

Jul 22 '05 #11
Putting it in the URL isn't as "obvious" to those that may want to exploit it.

--

Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

<la**********@yahoo.com> wrote in message news:11**********************@f14g2000cwb.googlegr oups.com...
| > Amazon's technique differs from the suggestions in KB175167 in that
| it
| > embeds the session ID in the URL, not in the QueryString. This can be
| > accomplished in ASP with a custom 404 handler, for example, but it is
| > anything but trivial to implement.
|
| Interesting. Never really noticed this...
| What's the advantage of putting it in the URL rather than the QS?
|
Jul 22 '05 #12
<<
I've always used session cookies in my web sites. However, since more
and
more people (including me) are starting to disable cookies, I'm
beginning to
think that I should change my ways and design websites without the use
of
session cookies. I've never done it before, but I understand that we can
get around the use of session cookies either by writing data to a
database
or by passing data from one page to the next with hidden fields. Can
anyone
point me to a tutorial on "best practices" for how this is done?


I believe that session variables can still be used even if a user has
disabled cookies and that is by long querystrings which are
automatically created.

But if you want to look into not using session variables here are a
couple resources:

Why won't my session variables stick?
http://www.aspfaq.com/show.asp?id=2157

Maintaining Session State - 9/20/1998
http://www.4guysfromrolla.com/webtech/092098-1.shtml

Pros and Cons of Session Variables - 9/20/1998
http://www.4guysfromrolla.com/webtech/092098-2.shtml

Forcing the Session to Close - 10/24/1998
http://www.4guysfromrolla.com/webtech/102498-3.shtml

Maintaining Persistent Information on the Web from the book Teach
Yourself Active Server Pages 3.0 in 21 Days Sample Chapter! by Web
masters Scott Mitchell and James Atkinson
http://www.asp101.com/articles/sampl...in21/page1.asp

Design Strategies for Scalable Active Server Applications by Steve Kirk
MSDN Content Development Group 8/1997
http://msdn.microsoft.com/isapi/msdn...y/techart/msdn
_aspscale.htm

Best regards,
J. Paul Schmidt, Freelance ASP Web Developer
http://www.Bullschmidt.com
ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 22 '05 #13
qaz
Thanks for the links. I find this whole idea of "life without session
variables" very interesting.
"Bullschmidt" <pa**@bullschmidt.com-nospam> wrote in message
news:e6**************@TK2MSFTNGP10.phx.gbl...
<<
I've always used session cookies in my web sites. However, since more
and
more people (including me) are starting to disable cookies, I'm
beginning to
think that I should change my ways and design websites without the use
of
session cookies. I've never done it before, but I understand that we can
get around the use of session cookies either by writing data to a
database
or by passing data from one page to the next with hidden fields. Can
anyone
point me to a tutorial on "best practices" for how this is done?


I believe that session variables can still be used even if a user has
disabled cookies and that is by long querystrings which are
automatically created.

But if you want to look into not using session variables here are a
couple resources:

Why won't my session variables stick?
http://www.aspfaq.com/show.asp?id=2157

Maintaining Session State - 9/20/1998
http://www.4guysfromrolla.com/webtech/092098-1.shtml

Pros and Cons of Session Variables - 9/20/1998
http://www.4guysfromrolla.com/webtech/092098-2.shtml

Forcing the Session to Close - 10/24/1998
http://www.4guysfromrolla.com/webtech/102498-3.shtml

Maintaining Persistent Information on the Web from the book Teach
Yourself Active Server Pages 3.0 in 21 Days Sample Chapter! by Web
masters Scott Mitchell and James Atkinson
http://www.asp101.com/articles/sampl...in21/page1.asp

Design Strategies for Scalable Active Server Applications by Steve Kirk
MSDN Content Development Group 8/1997
http://msdn.microsoft.com/isapi/msdn...y/techart/msdn
_aspscale.htm

Best regards,
J. Paul Schmidt, Freelance ASP Web Developer
http://www.Bullschmidt.com
ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Jul 22 '05 #14
la**********@yahoo.com wrote:
Interesting. Never really noticed this...
What's the advantage of putting it in the URL rather than the QS?


There are several advantages, but I suppose the biggest is that it embeds
the session ID in the HTTP_REFERER header for each request (including image
requests).

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Jul 22 '05 #15

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: cognite | last post by:
This venue would surely appreciate the cool stuff being done in python on bioinformatics and python's tools for info parsing and extraction (like fulltext indexing, xml tools, parser builders,...
0
by: Piotr Strycharz | last post by:
The life with ViewState is difficult - say 70kB of mess.... The life without View State is very difficult: 1. No access to Field.Value or Field.Text at Page_Load (are empty) 2. No access to...
6
by: jim | last post by:
Hi All, I like to know the life cycle of an ASP .NET Application( incudieng server application, such as .NET Web Service). That means from initialization to fully running and how to reboot it or...
10
by: tshad | last post by:
I have been using the default session state (InProc) and have found that I have been loosing my information after a period of time (normally 20 minutes). Is there anyway to find out how much...
2
by: xzzy | last post by:
Using ASP.net, C# and a static class, does the following from MSDN mean: 1. a static hashtable would only live during the session and end when the session ends 2. there would be a different...
4
by: Sam | last post by:
I have an asp.net 2.0 app that uses a sitemap, Master Page, and has several content pages. While this feature has simplified the process of creating a data-driven site menu, it does seem to have...
1
by: damod.php | last post by:
what is the life time(min, Max) of session variables,, I want to know about sessions whats session what is cookie whts the diff between where the sessinon stored where the cookie stored i want...
8
by: Jason | last post by:
What's the correct term when talking about the life of a variable in vb.net web? in a vb.net codebehind for asp.net, is it possible to define a variable in one sub, and call another sub and...
16
by: sebastiangarth | last post by:
I need to be able to make a variable persistent between page invocations without submitting a form or sending it as a name-value pair in the URL. Another requirement I have is that I can't store...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.