Eternal Debate: Cookies vs. Sessions vs. QueryString

Paul wrote:

Here is a question that should get everyone going.

I have an ecommerce site where I need to pass the order_id to every page. So
which method is the best practice to pass this variable between pages:
Cookies or Session variable or by the HTTP header (either GET querystring or
POST form)?

I do not like to use sessions because they time out after 20 minutes of
inactivity.

I do not like to use cookies because the user can disable the use of cookies
through their browser setttings.

I am not big on the querystring/form method but it looks like it might be
the safest way to ensure the app will not break.

Is there a document which talks about the best practice to do this?

TIA.

Paul have a look at this (it is from the 3schools site)
http://www.w3schools.com/asp/asp_cookies.asp

It might be the answer you are looking for?
What if a Browser Does NOT Support Cookies?
---------------------------------------------------------------------
If your application deals with browsers that do not support cookies,
you will have to use other methods to pass information from one page to
another in your application. There are two ways of doing this:

1. Add parameters to a URL
You can add parameters to a URL:

<a href="welcome.asp?fname=John&lname=Smith">
Go to Welcome Page</a>

And retrieve the values in the "welcome.asp" file like this:

<%
fname=Request.querystring("fname")
lname=Request.querystring("lname")
response.write("<p>Hello " & fname & " " & lname & "!</p>")
response.write("<p>Welcome to my Web site!</p>")
%>

2. Use a form
You can use a form. The form passes the user input to "welcome.asp"
when the user clicks on the Submit button:

<form method="post" action="welcome.asp">
First Name: <input type="text" name="fname" value="">
Last Name: <input type="text" name="lname" value="">
<input type="submit" value="Submit">
</form>

Retrieve the values in the "welcome.asp" file like this:

<%
fname=Request.form("fname")
lname=Request.form("lname")
response.write("<p>Hello " & fname & " " & lname & "!</p>")
response.write("<p>Welcome to my Web site!</p>")
%>

Hi Paul,

Passing an order_id to every page could be a problem, as a hacker could use
the order_id to perform various types of nefarious operations, depending
upon how well you defend your app. Cookies can be a problem. Even Session
Cookies can be a problem, but most browsers allow Session Cookies. I would
recommend using Session, as it keeps all the private data on the server.
Just make sure and account for a timed-out Session.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.

"Paul" <Pa**@discussions.microsoft.com> wrote in message
news:72**********************************@microsof t.com...

Here is a question that should get everyone going.

I have an ecommerce site where I need to pass the order_id to every page.
So
which method is the best practice to pass this variable between pages:
Cookies or Session variable or by the HTTP header (either GET querystring
or
POST form)?

I do not like to use sessions because they time out after 20 minutes of
inactivity.

I do not like to use cookies because the user can disable the use of
cookies
through their browser setttings.

I am not big on the querystring/form method but it looks like it might be
the safest way to ensure the app will not break.

Is there a document which talks about the best practice to do this?

TIA.

Hi Kevin,

If it is in web farm, can session be retrieved in different machine?

Thanks,
Elton Wang

"Kevin Spencer" wrote:

Hi Paul,

Passing an order_id to every page could be a problem, as a hacker could use
the order_id to perform various types of nefarious operations, depending
upon how well you defend your app. Cookies can be a problem. Even Session
Cookies can be a problem, but most browsers allow Session Cookies. I would
recommend using Session, as it keeps all the private data on the server.
Just make sure and account for a timed-out Session.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.

"Paul" <Pa**@discussions.microsoft.com> wrote in message
news:72**********************************@microsof t.com...

Here is a question that should get everyone going.

I have an ecommerce site where I need to pass the order_id to every page.
So
which method is the best practice to pass this variable between pages:
Cookies or Session variable or by the HTTP header (either GET querystring
or
POST form)?

I do not like to use sessions because they time out after 20 minutes of
inactivity.

I do not like to use cookies because the user can disable the use of
cookies
through their browser setttings.

I am not big on the querystring/form method but it looks like it might be
the safest way to ensure the app will not break.

Is there a document which talks about the best practice to do this?

TIA.

Why are cookies a problem?

When you say "Make sure you account for a timed-out session", what do you
mean? If I store the variable in a session variable, and the session times
out, then I lose the order. Even if I do a check to see if the session timed
out, it still means that the order will be invalid because I will have lost
order id?

I like session variables also but I have a problem with the timeout.

I think cookies are the best solution, why do you think they are a problem?

"Kevin Spencer" wrote:

Hi Paul,

Passing an order_id to every page could be a problem, as a hacker could use
the order_id to perform various types of nefarious operations, depending
upon how well you defend your app. Cookies can be a problem. Even Session
Cookies can be a problem, but most browsers allow Session Cookies. I would
recommend using Session, as it keeps all the private data on the server.
Just make sure and account for a timed-out Session.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.

"Paul" <Pa**@discussions.microsoft.com> wrote in message
news:72**********************************@microsof t.com...

Here is a question that should get everyone going.

I have an ecommerce site where I need to pass the order_id to every page.
So
which method is the best practice to pass this variable between pages:
Cookies or Session variable or by the HTTP header (either GET querystring
or
POST form)?

I do not like to use sessions because they time out after 20 minutes of
inactivity.

I do not like to use cookies because the user can disable the use of
cookies
through their browser setttings.

I am not big on the querystring/form method but it looks like it might be
the safest way to ensure the app will not break.

Is there a document which talks about the best practice to do this?

TIA.

Hello Paul ,
Cookies are a problem in this situation because they have a size limit ( to
be exact 4096 bytes wich means that you can store a string of 255
characters max )

you can extend the session timeout if you feel that 20 minutes inactivity
( =default ) is to short to close the session

what i also do in my programs is storing info in hidden form fields

see this website for an example how session vars would work
http://www.bildelskatalogen.se/ ( swedish ,, but it is pretty clear )
regards

Michel Posseth [MCP]

"Paul" <Pa**@discussions.microsoft.com> wrote in message
news:8D**********************************@microsof t.com...

Why are cookies a problem?

When you say "Make sure you account for a timed-out session", what do you
mean? If I store the variable in a session variable, and the session times
out, then I lose the order. Even if I do a check to see if the session
timed
out, it still means that the order will be invalid because I will have
lost
order id?

I like session variables also but I have a problem with the timeout.

I think cookies are the best solution, why do you think they are a
problem?

"Kevin Spencer" wrote:

Hi Paul,

Passing an order_id to every page could be a problem, as a hacker could
use
the order_id to perform various types of nefarious operations, depending
upon how well you defend your app. Cookies can be a problem. Even Session
Cookies can be a problem, but most browsers allow Session Cookies. I
would
recommend using Session, as it keeps all the private data on the server.
Just make sure and account for a timed-out Session.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.

"Paul" <Pa**@discussions.microsoft.com> wrote in message
news:72**********************************@microsof t.com...

> Here is a question that should get everyone going.
>
> I have an ecommerce site where I need to pass the order_id to every
> page.
> So
> which method is the best practice to pass this variable between pages:
> Cookies or Session variable or by the HTTP header (either GET
> querystring
> or
> POST form)?
>
> I do not like to use sessions because they time out after 20 minutes of
> inactivity.
>
> I do not like to use cookies because the user can disable the use of
> cookies
> through their browser setttings.
>
> I am not big on the querystring/form method but it looks like it might
> be
> the safest way to ensure the app will not break.
>
> Is there a document which talks about the best practice to do this?
>
> TIA.