What options do I have to work around disabled cookies for session management?
+2
A:
You can append an SID variable to every link you output to the user. PHP has some built in support for this.
robertc
2009-11-10 00:33:42
+2
A:
- In the page in hidden field
- In the query string
- In the HTTP header
Russ Cam
2009-11-10 00:34:28
Can you elaborate on "in the HTTP header?"
ojrac
2009-11-10 00:46:51
@orjac - take a look at this article (it's asp.net specific I'm afraid, but it explains the concept reasonably well) - http://www.codeproject.com/KB/aspnet/SessionManagementAspNet.aspx
Russ Cam
2009-11-10 01:00:08
+2
A:
Well, all a cookie does is holds on to the big ugly string your system generated as that user's session identifier (SID) for you. If you don't have cookies, the goal is to get that SID sent in with every request from that specific user.
Creating a hidden form field with the SID in it is necessary when you are accepting input from the user. You should probably read up a bit on Cross-Site Scripting vulnerabilities - might as well head these off while you're monkeying with your forms anyway.
Adding data to links (via the query string) is typically called "URL Rewriting", so just look that up for details. The upshot is that every time you output a link it must have the SID as one of the parameters in the query string.
For example: "http://mysite.com/action?SID=da83fdec49ebfafe4"
Some frameworks can handle this URL rewriting semi-transparently.
Benjamin Cox
2009-11-10 00:46:59