There are other methods than cookies to session control, but they all have problems.
So, if you surf without cookies you will notice it fairly quickly.
HTTP is stateless, so you make a request to a server and it responds, it has no concept of continued connection. So state is applied via another mechanism, which is normally cookies.
So, if you surf without cookies you will notice it fairly quickly.
HTTP is stateless, so you make a request to a server and it responds, it has no concept of continued connection. So state is applied via another mechanism, which is normally cookies.
Upvote
0
Most browsers have cookies enabled by default and people don't often disable them these days because it causes more problems than it solves.
Some browsers or networks don't like third party cookies - ie cookies with the name of your e-commerce or analytics package rather than that of your site. If you feel this is an issue you should be able arrange to serve first party cookies but unless you have hard evidence that this is a problem I really wouldn't bother.
Some browsers or networks don't like third party cookies - ie cookies with the name of your e-commerce or analytics package rather than that of your site. If you feel this is an issue you should be able arrange to serve first party cookies but unless you have hard evidence that this is a problem I really wouldn't bother.
Upvote
0
Upvote
0
The problem with putting session control in the URL is security, you should run the entire site on https if you do that.
If you use form post submission then every link should also send session control and that is a security risk (session hijacking) but it also makes the construction of the site awkward.
cookies are the best form of session control at the moment, they allow you to run a site where you can move in and out of session and they can be secured to allow limited access.
If you use form post submission then every link should also send session control and that is a security risk (session hijacking) but it also makes the construction of the site awkward.
cookies are the best form of session control at the moment, they allow you to run a site where you can move in and out of session and they can be secured to allow limited access.
Upvote
0
If you think about it, people disable cookies because they don't want to be tracked. If they go to a site that uses tracking in another mechanism they won't use that site as well, for the same reasons.
It is just about token exchange to maintain session.
Cookies offer the secure way of doing this, the others have the problem of unsecured cookies.
So, a cookie should be sent only over https, all session should be in https, sent only under a specific directory and only accessible via http (not javascript).
What I do is set another cookie that is a boolean to indicate logged in status if I want to do anything with the interface (not relied upon), and that cookie gets set to the top level and accessible via javascript. The session cookie is protected and is used to determine state and identity.
There are trivial uses of cookies for things like preferences, and those tend to be treated more simply, but of course preferences are tied to identity so all you need is the token and preferences can be stored server side.
Javascript is another one not fully credited, it can be used to increase security and reduce security, same with cookies used properly it is the most secure, configured incorrectly and it leaks but it leaks just as much as the other methods, less than the URL one which has an extra interesting attack vector associated with it.
It is just about token exchange to maintain session.
Cookies offer the secure way of doing this, the others have the problem of unsecured cookies.
So, a cookie should be sent only over https, all session should be in https, sent only under a specific directory and only accessible via http (not javascript).
What I do is set another cookie that is a boolean to indicate logged in status if I want to do anything with the interface (not relied upon), and that cookie gets set to the top level and accessible via javascript. The session cookie is protected and is used to determine state and identity.
There are trivial uses of cookies for things like preferences, and those tend to be treated more simply, but of course preferences are tied to identity so all you need is the token and preferences can be stored server side.
Javascript is another one not fully credited, it can be used to increase security and reduce security, same with cookies used properly it is the most secure, configured incorrectly and it leaks but it leaks just as much as the other methods, less than the URL one which has an extra interesting attack vector associated with it.
Last edited:
Upvote
0
While security is an issue, session 'tokens' can be sent via cookies, URLs or hidden fields in forms. I prefer the latter to maintain a simple session and I POST my forms, as opposed to using a REQUEST. I use POST with the buggerance of users having to re-load pages when they use the browser back button and alike.
For someone to save a shopping list, cookies can be used, which don't really pose a security problem. I think a better way is to save the shopping list onto the server/database and make people log in with a reasoned comment or two on how security really matters.
For someone to save a shopping list, cookies can be used, which don't really pose a security problem. I think a better way is to save the shopping list onto the server/database and make people log in with a reasoned comment or two on how security really matters.
Upvote
0
Latest Articles
-
What Carphone Warehouse, Microsoft and Uber Have in Common: They Started in a DownturnThere's a comforting myth that you need a booming economy to start...- Ozzy
- Updated:
-
What Makes a Small Business Actually Sellable?There's a question that a lot of small business owners never think to...
- Ozzy
- Updated:
-
Why Your Team Keeps Asking the Same Questions (And What to Actually Do About It)Every small business owner knows the moment. You're halfway through...
- Ozzy
- Updated:
-
At What Point Do Courier Losses Just Become a Cost of Doing Business?If you sell physical products online, you already know the feeling. You...
- Ozzy
- Updated:
-
What I Wish I'd Known Before Using AI in My BusinessSomewhere between the headlines promising AI will transform everything...
- Ozzy
- Updated: