473,320 Members | 1,881 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

design question: sessions vs arguments

i'm finishing my 2nd php project. It's a sort of catalog and I used
css/mysql as well. All the functionality of the site is mainly beacause
the great number of arguments I pass to every page on the address bar.
For example
*number of items to display
*categories
*brands
*user_id
*price interval
*...
*...
Note that the arguments aren't editable, beacause I've implemented a
sort of extra verifier argument which works quite well

The question is:
In order to achieve a good design and therefore a good product, should
I have to use session variables instead, or is it just a way to do the
same?

I would like to begin my next project with the right choice...

regards - jm

Mar 1 '06 #1
10 1322
julian_m wrote:
i'm finishing my 2nd php project. It's a sort of catalog and I used
css/mysql as well. All the functionality of the site is mainly beacause
the great number of arguments I pass to every page on the address bar.
For example
*number of items to display
*categories
*brands
*user_id
*price interval
*...
*...
Note that the arguments aren't editable, beacause I've implemented a
sort of extra verifier argument which works quite well

The question is:
In order to achieve a good design and therefore a good product, should
I have to use session variables instead, or is it just a way to do the
same?

I would like to begin my next project with the right choice...

regards - jm

Sessions, when they are used this way, implement another level of
'security through obscurity'. That is they make it just a little bit
harder to see what data is being passed back and forth. If you are not
using cookie-based sessions, the obscurity factor goes up again.

Sessions also prevent the issue of cutting and pasting the URL into a)
multiple browsers or b) as bookmarks. While you can detect edits to your
argument data, can you detect replays? If not, you may have an issue.

I try to hide as much information from the browser as I can simply
because what they can't see, they can't futz around with ;-)

-david-

Mar 1 '06 #2
julian_m wrote:
In order to achieve a good design and therefore a good product, should
I have to use session variables instead, or is it just a way to do the
same?


Don't do it. Using session variables to somehow hide GET variables
cause major navigation issues when visitors view your site in multiple
tabs/windows.

Mar 1 '06 #3

Chung Leong wrote:
julian_m wrote:
In order to achieve a good design and therefore a good product, should
I have to use session variables instead, or is it just a way to do the
same?


Don't do it. Using session variables to somehow hide GET variables
cause major navigation issues when visitors view your site in multiple
tabs/windows.


That is one of the reasons why I work "hiper"polulating the address
bar, even though it isn't beautiful at all.

David seems to have another opinion though. I was sure it will be the
beginnig of the war ;)

regards - jm

Mar 1 '06 #4

David Haynes wrote:
While you can detect edits to your
argument data, can you detect replays?


Well, actually, I could. Just adding inside the argument verifier (md5)
the date it was created, and comparing it agaist the server date.
Nothing brillant, just an idea...

saludos - julian

Mar 1 '06 #5
Chung Leong wrote:
julian_m wrote:
In order to achieve a good design and therefore a good product, should
I have to use session variables instead, or is it just a way to do the
same?

Don't do it. Using session variables to somehow hide GET variables
cause major navigation issues when visitors view your site in multiple
tabs/windows.


Like already being logged in when you browse the same site in another
window or tab? I would think thats a good thing.

My advice would be the opposite, don't pass data in the URL unless you
have a good reason to, and there often are good reasons.

I wouldn't suggest you set a product category in a session, but for the
user info, #items/page, etc there is no reason to pass it in the url,
and reasons why it would be beneficial to have it in the session.
Think which items should apply to the users "session", and which should
apply to individual instances (browser windows/tabs) of the session.

Cheers,
Carl.
Mar 1 '06 #6
julian_m wrote:
David Haynes wrote:
While you can detect edits to your
argument data, can you detect replays?


Well, actually, I could. Just adding inside the argument verifier (md5)
the date it was created, and comparing it agaist the server date.
Nothing brillant, just an idea...

saludos - julian

Hmmm...
I don't see how that would work.
You'd send out a page to a browser with an encoded timestamp.
It would send back some $_GET data presumably with the timestamp returned.
Somehow you would do delta on the timestamp to determine whether this
was a replay???

The usual way to do this is to hand a sequential number to the page
which, in turn, hands it back. The sequential number is then marked as
'processed' and all subsequent returns of the number are invalidated.

-david-

Mar 1 '06 #7
Carl wrote:
Like already being logged in when you browse the same site in another
window or tab? I would think thats a good thing.
I assure you that those who use the feature are very much dependent on
it. When I reply to posts on Google Group, for example, I frequently
would flip back to the previous screen in a different so I can see
what's been said already. On occasions I would open still another tab
when I want to cite a previous thread.
My advice would be the opposite, don't pass data in the URL unless you
have a good reason to, and there often are good reasons.


It really isn't a matter of making a choice between GET and session.
It's about using something in the manner that it's designed for.
Session variables are designed for persistency. If that's what the
situation calls for, then use them. If not, then use something better
suited.

HTTP is a stateless protocol (by and large). A GET operation is
understood to be side-effect-less (i.e. read-only). When you stuff URL
parameters into the session, you're violating this basic assumption,
and predictably, bad things happen: bookmarking goes bust, tab-browsing
behaves weirdly, search engines can't spider your site, etc.

Mar 2 '06 #8
I forgot to list "the inability to utilitize page caching," which is a
serious minus when you care anything about scalability.

Mar 2 '06 #9
Chung Leong wrote:
Carl wrote:
Like already being logged in when you browse the same site in another
window or tab? I would think thats a good thing.

I assure you that those who use the feature are very much dependent on
it. When I reply to posts on Google Group, for example, I frequently
would flip back to the previous screen in a different so I can see
what's been said already. On occasions I would open still another tab
when I want to cite a previous thread.


Did you have to log in again when you opened a new tab? The OP made a
comment about passing, among other things, a "user_id" in the url. I am
suggesting this in more appropriately placed in the session.

My advice would be the opposite, don't pass data in the URL unless you
have a good reason to, and there often are good reasons.

It really isn't a matter of making a choice between GET and session.
It's about using something in the manner that it's designed for.
Session variables are designed for persistency. If that's what the
situation calls for, then use them. If not, then use something better
suited.


It sounds to me like you're saying you should use GET unless its a
persistent value, I say don't use get unless it's NOT a persistent value.
Tomatoe, Potatoe :)
HTTP is a stateless protocol (by and large). A GET operation is
understood to be side-effect-less (i.e. read-only). When you stuff URL
parameters into the session, you're violating this basic assumption,
and predictably, bad things happen: bookmarking goes bust, tab-browsing
behaves weirdly, search engines can't spider your site, etc.

I may not have made myself clear, though i am pretty sure we are arguing
the same point here. You mention handling "URL parameters", and I gave a
suggestion on how to determine what constitutes is a "URL parameter".
Most posts before mine seemed to give a yes/no type answer, I was simply
_attempting_ to suggest that it is not as simple as that, and that
different the different problems require different solutions.

I replied to your post in which you said :
Don't do it. Using session variables to somehow hide GET variables
cause major navigation issues when visitors view your site in multiple
tabs/windows.


And i suggested that passing the user_id in the url would require you to
log back in if you navigate back to the site in another browser/tab.
*Broken*, IMHO.

Cheers.
Carl.
Mar 2 '06 #10
Carl wrote:
It sounds to me like you're saying you should use GET unless its a
persistent value, I say don't use get unless it's NOT a persistent value.
Tomatoe, Potatoe :)
Well, that's a pretty amazing conclusion, consider that your comment
was "my advise would be the opposite." In any event, what I was saying
must have made better sense, as it doesn't involve a double negation.
And i suggested that passing the user_id in the url would require you to
log back in if you navigate back to the site in another browser/tab.
*Broken*, IMHO.


And your suggestion would be wrong. If the user_id is in the URL then
it would obviously be retained when you navigate to it in a new tab.

Mar 3 '06 #11

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: John | last post by:
Hello. I want to get this blasted .htaccess file sorted out, so I can have sessions without register_globals being on. I have looked everywhere for info on this and I mean everywhere...
8
by: Gert Van den Eynde | last post by:
Hi all, I have a question on interface design: I have a set of objects that are interlinked in the real world: object of class A needs for example for the operator() an object of class B. On...
1
by: | last post by:
Hoping to get some ideas from more experienced hands regarding the best way to use object-oriented design to assist my development of a content management system destined for multiple devices. ...
105
by: Christoph Zwerschke | last post by:
Sometimes I find myself stumbling over Python issues which have to do with what I perceive as a lack of orthogonality. For instance, I just wanted to use the index() method on a tuple which does...
5
by: ma740988 | last post by:
Consider: #include "handyfactory.h" #include <iostream> struct Shape { virtual void print() const=0; };
34
by: Nate | last post by:
Scenario: In a commerce application, there is a Product class. Along with the Product class there is a form (the text that goes in the labels of the input controls) for inputting and updating...
3
by: CSharpguy | last post by:
I have a 03 .NET web that does not use Typed DataSets, it uses a Busines Layer/DataLayer classes. Alot of my reading on .NET 05 is using the DataSets for the datalayer/business layer. I have a 05...
4
by: John Sitka | last post by:
Hi, sorry for a crosspost but that other news group was showing last post was a week ago so I guess it dosen't see much use... I'm about to start a solution and I'm curious about the approach of...
5
by: Frank Moyles | last post by:
I am a developer with many years (approx 10years) development experience using C++ for DESKTOP applications. I am writing a web application using C#, and I wanted to ask a question about...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.