views:

38

answers:

2

How do you handle keeping a user logged in or updating a cart when you can't use sessions? adding the userId or cartId to hidden input fields feels like a security flaw

+1  A: 

Well, either you have to store the session ID in a cookie or in a query string parameter.

You're right that using a parameter is a security flaw. All someone has to do is share their URL and they've given away their website identity.

Some frameworks, like Rails, don't let you use sessions if cookies aren't available, and personally I think this is an acceptable stance to take if you're serious about security.

Gareth
How fast can you solve the Rubics Cube?
nikic
A: 

Adding a session-like ID to every form (and every plain link outside forms too, if you want to be able to keep state over browsing) is indeed the way it was traditionally done when you can't use cookies.

It's such an pain to implement parameter-sessions (with ugly /page.php?session=459gj0tv789yn-style links), it breaks cacheing and users can't copy-and-paste links in case they accidentally share sessions. For these reasons, most sites don't bother with this any more, and simply require cookies.

Another thing you can do is use HTTP Basic Authentication to allow the user to sign into an account, and store all session information on the account. This is a bit less convenient for a shopping cart as you have to require the user to sign in before they put anything in a cart, but in the general case it's a good alternative to cookies.

bobince
yeah i s'pose i've never browsed around with cookies disabled to get a sense of just how many sites explicitly require cookies vs fall-back to a cookie-less system. Thanks for the HTTP basic auth idea. that seems like a good enough solution for those too paranoid for cookies
Nat
People who disable cookies or referrers or change the user agent string are normally people who know what they're doing and know that it will break many pages. Thus I wouldn't bother implementing something for those.
nikic
HTTP basic authentication is only a good idea if you think sending a plaintext password *with every request* is a good idea. Remember that Basic Auth is just username:password encoded in Base64, sent in an HTTP header...
Gareth