Saving Browser State without Cookies
Paul Rubin
phr-n2002a at nightsong.com
Thu Feb 7 19:55:42 EST 2002
"Steve Holden" <sholden at holdenweb.com> writes:
> However, *if* PHP allows you to associate requests with session state, then
> *either*:
>
> a) it does use cookies, you just don't know about them, or
> b) it puts session references in the URL.
>
> There simply isn't any other available mechanism. So maybe what you're
> looking for is an interface that hides the cookie implementation from the
> programmer?
There are several other ways to track session:
- Hidden form fields populated by the server
- User data persistence (a messy and evil IE-specific cookie-like data store)
- SSL session identifier (beware, not guaranteed to be persistent)
- Put session tag in the URL of a surrounding or internal frame, and
retrieve the tag with client side javascript (pass back to server via
hidden form field). That's a variant of the URL scheme but keeps the
session tags out of the navigation bar.
- Maybe other stuff I haven't thought of
- Client side browser extensions can use various schemes of their own
The most important thing is not to send server-confidential information
like database passwords to the client under any circumstances, and do NOT
eval stuff that the client sends to the server (someone had suggested
a scheme like that). Also, don't use the pickle module or the default
("smart") cookie objects from the cookie module to build cookie strings.
More information about the Python-list
mailing list