We are programming a new web application framework (Second WAF). I was wondering if we should support cookieless sessions or not.
Who use it and who needs it?
We are programming a new web application framework (Second WAF). I was wondering if we should support cookieless sessions or not.
Who use it and who needs it?
It is a good feature, but several aspects have to be taken into account
I was wondering if we should support cookieless sessions or not.
I think this depends largely on your userbase. In my organization we support several intranet applications. We also control our users desktops. Since we control their desktop environment we can control browser settings and ensure cookies are enabled. Because of this and the increased risk of session hijacking, there is no reason for us to ever allow cookieless sessions.
Who use it and who needs it?
Those who need to support sessions regardless of the end users' browser settings would need to implement cookieless sessions; keeping in mind the implications of doing so.