Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Maintain Session without Cookies?

by Coplan (Pilgrim)
on Feb 22, 2002 at 00:52 UTC ( #146842=perlquestion: print w/replies, xml ) Need Help??
Coplan has asked for the wisdom of the Perl Monks concerning the following question:

I maintain a website that uses a lot of perl, and depends on cookies. A friend put a bug in my ear and has me considering the idea of doing session management without cookies. The advantage that I see would be that I would not require users to accept cookies to use the website (I imagine cookies still scare some people).

Now I admit, I am not exactly a good perl hacker, and I still have very much to learn. While I did do a search on CPAN, and I found a couple of modules that I may be able to use, I'm still not exactly sure how I need to approach this. For that matter, I'm still not sure if I should.

First of all, should I consider switching to a non-cookie session management system for my website? I'd like to see arguments for or against this (as opposed to useing cookies). Second of all, if anyone has had some experience with this, maybe you could help me better understand what I really need to be learning. While a search on CPAN does yield a great deal on the topic, I'm not sure exactly what I would need.

Thank you for your help.


Replies are listed 'Best First'.
Re: Maintain Session without Cookies?
by tjh (Curate) on Feb 22, 2002 at 02:42 UTC
Re: Maintain Session without Cookies?
by jepri (Parson) on Feb 22, 2002 at 01:06 UTC
    In general terms, cookies are now accepted everywhere, like visa. Almost every browser has the capability to handle cookies, and most of them have sophisticated ways of making sure that you don't accidentally give cookies to advertisers, even if the adverts appear on a site that is also handing out cookies.

    Doing without cookies means embedding a unique number in every link, sort of like: Then every time someone clicks a link you extract the number on use it to load the session data. Quite painful, but certainly doable. It also gets worse if you generate a new unique number for each page (people can't press the back button any more).

    I didn't believe in evil until I dated it.

•Re: Maintain Session without Cookies?
by merlyn (Sage) on Feb 22, 2002 at 03:30 UTC
Re: Maintain Session without Cookies?
by Ryszard (Priest) on Feb 22, 2002 at 05:20 UTC
    I guess one advantage of not using cookies, is you can maintain sessions on devices that do not accept cookies, such as pda's and phones.

    The biggest disadvantage is the ease in which a session can be hijacked.

    If, for example, you cut and paste the URL and email it to another person, they will have your session. Its a rather simplistic example, but is a threat I would consider, especially if you have personal information on your site.

    Here is a good article outlining good web session security. It may be a little overkill, but great reading.

    Update: To help cover against the hijacking, a different token should be used for every page sent.

      Well, considering that the contents of the session cookie is sent to the server with each HTTP request, a cookie solution isn't that much secure anyway. If someone monitors your network traffic, hijacking the session is trivial no matter if you are using cookies or not. The only antidote is to connect through an encrypted channel.

      Granted, it's easy to cut&paste the URL and mail it to someone else, but if you're that eager to compromise your own security you could just as well edit the contents of cookies.txt.


      If you embed session the URL, use some common sense:
      • if a session shows no activity for 30 minutes, kill the session and start a new one. depending on your site, this may mean asking for a login, or it may mean just cutting a new session key.
      • if a session comes in that is "inconsistent" (different browser type, different referrer, etc) with the last session request, kill the session.
      • as merlyn says here, make the session key unguessable
      While these don't fix the problem completely (eg users coming in from AOL via the same AOL proxy machine might be able to swap sessions if they do it reasonably quickly), they go a long way to reduce it.
Re: Maintain Session without Cookies?
by mbalex (Beadle) on Feb 23, 2002 at 09:26 UTC
    I've got access to about 6 accounts because the users had their session_ids in their referer link and went to my page.. *shudder* use Cookie or die ("too unsecure");

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://146842]
Approved by root
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (7)
As of 2018-04-26 14:19 GMT
Find Nodes?
    Voting Booth?