Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Server Side Cookies

Status
Not open for further replies.
1DMF

1DMF

Programmer
Jan 18, 2005
8,795
GB
Hello,

I have a system using the CGI module for leaving 'client-side' cookies.

I'd rather store the details server side and just have a mechanism for identifying the client.

is this possible and how? I can't see how the CGI module does it, the cookies capabilities seem to be client side cookies.

How do you correctly identify a client via some type of session cookie and attach a value / attributes to it and store server side.

The problem being FireFox turns ALL cookies off by default.

I don't want to annoy the website visitor with 'no cookies' messages as the cookie doesn't stop the visitor from fully using the site as intended, but it makes it hard to track the affiliate code / id of the referring link.

i wan't to track the visitor without JavaScript, Cookies or any other type of client side coding.

Thanks, 1DMF

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Sort by date Sort by votes
Your original system is actually the preferred way to work; The client (browser) only holds an identifier in cookies. Your server system uses that identifier to obtain all the other information for that user/session.

For the user that turns cookies off, then you have to fall back to passing the keys via forms, and having all your internal links either javascripted submits or being GET URLs (" )

That works to a point, but the key is out there on every link. Nothing to stop Eve from looking at the URLs, tweaking the session component and end up impersonating somebody else. It also becomes part of any bookmark the client makes and possibly sends to their friends/family/associates/mailing lists.
 
Upvote 0 Downvote
I'm sorry, I misread part of what you are doing.

The way you propose to work is the preferred way of doing things; much better than storing all the details in the client's cookie jar.

The client still needs to enable cookies though, to accept the identifier.
 
Upvote 0 Downvote
The client still needs to enable cookies though, to accept the identifier.
Click to expand...

So basically there is no way of 'tagging' and 'identifying' a client without client side cookies?

I'm not sure what you think i'm storing in the client side cookie but it is simply a number, and if anyone else used the number, all they would do is assign credit to someone elses account, pretty pointless.

URL is no good, the landing page is a 301 redirect and must not include any querystring else it would corrupt the resulting page for SEO.

the landing pages are static HTML so no hidden field can be used and I refuse to use Javascript, my code is specifically written to work without JS enabled and want to keep it that way.

hmm, is there nothing I can use to identify client machine?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
Cookies are the least invasive of all the options possible.

A client by default doesn't send identifiable information; it just makes a HTTP request. It's way way waaaaay too risky to build an identifier based upon a referer IP/user agent/any other information in the request; it would generally only identify the subset of users using a particular browser behind any router with NAT.

That's part of the reasoning behind cookies.

As you suggested, the only information needed to be stored on the client side is the session ID. But to do this, the client needs to enable cookies.

 
Upvote 0 Downvote
and if you do sessions right you can limit sessions to a single IP and if you see any abnoral activity you can end the session and force a re-login

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[noevil]
Travis - Those who say it cannot be done are usually interrupted by someone else doing it; Give the wrong symptoms, get the wrong solutions;
 
Upvote 0 Downvote
So basically the answer to my question is 'No' . :-( oh well it was just a thought.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mayur09
  • Locked
  • Question
Logon server detail
Replies
0
Views
95
Mayur09
Mayur09
Furia91
  • Locked
  • Question
could not connect to java server
Replies
0
Views
99
Furia91
Furia91
ppeel
  • Locked
  • Question
Connect to MS SQL Server Linked Server
Replies
0
Views
74
ppeel
ppeel
perlnewbie9292
  • Locked
  • Question
Perl client side authe using certicate
Replies
0
Views
77
perlnewbie9292
perlnewbie9292
Daral
  • Locked
  • Question
How to remove password authentication on a Unix server.
Replies
3
Views
143
raggmopp
raggmopp

Part and Inventory Search

Sponsor

Back
Top