tags:

views:

38

answers:

2
+1  Q: 

Best practices for "disable all cookies" setting and logged in users / carts

How do you handle keeping a user logged in or updating a cart when you can't use sessions? adding the userId or cartId to hidden input fields feels like a security flaw

+1  A: 

Well, either you have to store the session ID in a cookie or in a query string parameter.

You're right that using a parameter is a security flaw. All someone has to do is share their URL and they've given away their website identity.

Some frameworks, like Rails, don't let you use sessions if cookies aren't available, and personally I think this is an acceptable stance to take if you're serious about security.

Gareth  2010-09-26 14:31:54
How fast can you solve the Rubics Cube?
nikic  2010-09-26 15:29:47
A: 

Adding a session-like ID to every form (and every plain link outside forms too, if you want to be able to keep state over browsing) is indeed the way it was traditionally done when you can't use cookies.

It's such an pain to implement parameter-sessions (with ugly /page.php?session=459gj0tv789yn-style links), it breaks cacheing and users can't copy-and-paste links in case they accidentally share sessions. For these reasons, most sites don't bother with this any more, and simply require cookies.

Another thing you can do is use HTTP Basic Authentication to allow the user to sign into an account, and store all session information on the account. This is a bit less convenient for a shopping cart as you have to require the user to sign in before they put anything in a cart, but in the general case it's a good alternative to cookies.

bobince  2010-09-26 14:36:15
yeah i s'pose i've never browsed around with cookies disabled to get a sense of just how many sites explicitly require cookies vs fall-back to a cookie-less system. Thanks for the HTTP basic auth idea. that seems like a good enough solution for those too paranoid for cookies
Nat  2010-09-26 14:51:41
People who disable cookies or referrers or change the user agent string are normally people who know what they're doing and know that it will break many pages. Thus I wouldn't bother implementing something for those.
nikic  2010-09-26 15:28:33
HTTP basic authentication is only a good idea if you think sending a plaintext password *with every request* is a good idea. Remember that Basic Auth is just username:password encoded in Base64, sent in an HTTP header...
Gareth  2010-09-27 01:10:00

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases