Topic of Discussion -- Cookies & Session 5

[link9]

So one of the things that I am really fuzzy on is how session variables and cookies work together.

It is a major point of disagreement between many people, and I have personally witnessed session variables acting screwy when cookies are disbled. The thing is, though, that it doesn't seem to completely disable their effectiveness, which I have heard people say that it will do.

There is something about the session id that needs to be somehow persisted on the users' computers in order for the server to still know who they are, so I would think that cookies need to be enabled in order to do this... but I am not sure about that.

Anyway, what I would like is to get a little discussion going here as to EXACTLY what the relationship between the two are. I know it would clear the air for me, and maybe some other members would benefit, too.

Thanks for anyone's input!
Paul Prewett

 

[vasah20]

There are two types of cookies that can be enabled on your browser.

1) Cookies that are stored on your computer.
These are the cookies that allow you to leave a site, but have it retain your login information. One such example is tek-tips.com, and how you can persist your information across sessions.

2) Cookies that are left on a per session basis.
These cookies are synonymous with Session variables and what have you. A new session cookie is made for each new visit that you have to any webserver. These session cookies last until either the session timeout/abandon, or you close your browser.

You can disable the 1st cookie and enable the 2nd, which in turn allows you to use Sessions but not to store a cookie to remember someone's login information.

So what happens if you disable both types of cookies? Well, you won't be able to Response.Cookie anything. But more importantly, the behavior of Sessions turns a little screwy.

The webserver will send out new per-session cookies for each page that you visit, so any user with all cookies turned off will have a session id. The problem is that this session id will only last for that page view, and will not be persisted across multiple page views on your site (which is why it is so difficult to check for Session availablity on the server-side).

So to sum up -
there are two types of cookies:
1) persists data until explicitly deleted (or expired)
2) persists data until session abandon/timeout, or browser closes.

In MSIE you can see what I'm talking about by playing with your security settings.

hope this helps
leo

 

[link9]

thx leo -- You should FAQ that.

 

[vasah20]

consider it done

 

[LesleyW]

I have a problem with cookies, at least I think its a cookie problem. I am supporting a site that uses its own Session (not ASP session, this is turned off) and Site Server.

Basically the behaviour of the site on my customer's browser suggests that he has cookies disabled.

Our support function here is a bit basic - I am a developer who was involved in developing the site but I don't have access to IE 6.0 which the customer is using. Its a bit hard talking someone through (on the phone) the settings for cookies when he has a totally different version of the software to you!

Anyway, yesterday we talked through ensuring the cookies were on and from what I can tell, they were. But not having it here and doing it alongside him it was difficult to tell.

He is using IE 6 and I don't know precisely what version but it was advanced enough for him to be able to turn off and on the cookies for First and Third Party sites.

I still think its a cookie problem - he is also running a Norton Firewall which may be relevant. Any know problems with this?

What would help is if someone could direct me to a site that definitely needs cookies and exhibits specific behaviour if cookies are refused. Then if that behaviour occured on his browser I could tell him to sort out his cookies its not our problem.

Any help gratefully received!

 

[LesleyW]

Replying to my own message, I found that Hotmail.com does this.

If you do not allow either per-session or stored cookies on your browser (tried on IE 5 and 6) and Delete any previous cookies which may be stored on your hard drive (under your Windows profile), then you will get the behaviour that my customer is reporting. That is, enter login name and password, click sign in (or enter or whatever), you get the message about going from secure to non-secure , then it redirects back to the login page, reloading it so that the username and password entries are blank.

Still waiting for the customer to get back to us to confirm what happens on Hotmail. If it is as above we have proved that the problem lies in his PC accepting cookies.

 

[Ovatvvon]

With IE 6, it is now a lot more configurable (and complicated) for setting cookie permissions (along with other tasks). It allows you to get really specific with how you want things accomplished, but however if you don't pay close attention to it (as most general users will not) it'll block your cookies. I've found that the standard shipping permissions set with IE 6 do not allow cookies my personal (family) site which is a problem. So you may need to get the user to reset it to accept more cookies than it is already accepting. Lower his security as far as they go anyway should fix it. Otherwise, he'll be out of luck.

That should be your problem anyway.
-Ovatvvon :-Q

 

[link9]

We have experienced what can only be described as "buggy" behaviour with session cookies and IE6 when the user has customized their security settings.

On my box, I left the settings at default, and everything works perfectly (I use session variables ALOT in my applications). However, on one of my colleague's computers, she had set her security settings because she read something about a security hole for IE6. Once she did that, the application would not log her in.

So, we went back and set everything to the lowest settings, and still no dice. Turned on all cookies... nothing. Restored default settings... nothing.

Reinstalling IE6 was the only thing that cleared the problem up. I emailed MS about the problem, and have not received a reply from them. I don't know what that means, but I would watch for some updates to this browser in the near future.

To tell the truth, though, it's the only problem I've found with an otherwise fantastic new browser. I've been very pleased overall. Which is ALOT more that I can say for NS6.2, which although better than 4.x by a long shot, still falls short of the bar that's set by IE. Crying shame, really.

good luck!
paul

 

[LesleyW]

Thank you both for your replies on this.

Ovatvvon - I think we already tried what you suggested, as I said it is hard to tell if he is doing as we tell him over the phone!

Paul - interesting. Not good news. A colleague is speaking to the customer tomorrow . . . watch this space

 

[link9]

Update:

Add the address of your site to the trusted sites of the users' browser to get it to override the refusal of cookies. Problem is getting all users to do that, though, which probably isn't going to happen.

You'll see the settings once you get in there under the security --> advanced section of Internet Options.

good luck!
paul

 

[bobmihada]

So did anyone figure out what the problem was with IE 6 and cookies. I'm experiencing a similar situation. One out of 30 users who use IE 6 and browse my site have problems. Problem is, a session cookie is set once they log in and that should be the ony cookie set in their browser until the log out, BUT when they navigat through the site, the site is unable to detect the cookie that was set when they logged in, so it creates a new one everytime they click through.

What the....?

mike

 

[Tarwn]

Tell them to patch their browsers, I believe the first patch for IE6 took care of the session loss problem people had.
-Tarwn --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

http://www.tuxedo.org/~esr/faqs/smart-questions.html

 

[fhlee]

Link9: I have also experience this problem ( It seems that the IE6's Medium security setting is NOT the same as the default (on fresh installation) ... After installation, if you alter the security level, and then subsequently set it back to Medium, some cookie functions will not work (like you reported). The only way to fix this is either to set the level to Low or re-install IE6. I didn't report it to MS though ... just thought to confirm this with you )

regards,
- Joseph
================== ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
Shopping -->

http://www.replicaSi.com

,

http://www.semelor.com

Soccer -->

http://www.myvteam.com

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-

 

[objuan]

Very helpful...given this discussion, does anyone have suggestions on the best way to check and notify a user that their cookies must be enabled for a site that requires cookies to maintain identity throughout a session...say in the case of a shopping cart.

 

[vasah20]

The best way to do it (through ASP) is have a splash page of sorts, and set a cookie there.

Then, on the ensuing page see if that cookie can be found.

If it's not found, show an error message or something stating they need cookies enabled.

In addition, I also know there's a way to find out using javascript, but I'm not sure of the syntax off the top of my head.

 

[lottastuff]

Alternatively, in an include used on all pages OTHER than your first/home page, (like maybe your site uses a masthead to display a logo and some common navigation links), include a block of code prior to displaying any HTML that does the following:

<%
Dim intPos ' As Integer 
intPos = InStr(Request.ServerVariables (&quot;ALL_HTTP&quot;), &quot;HTTP_COOKIE&quot;) 
If (intPos > 0) Then 
   'cookies enabled
Else 
   'response.redirect to page that explain the fact of life.
End If 
%>

Kudos to Eric on 4guysFromRolla.com

The reason I say to put this on all pages OTHER than the first page, is that it only works AFTER a cookie has been issued to their broswer (e.g. the ASP session cookie). To see what I mean, try this.

<%
Dim intPos ' As Integer
intPos = InStr(Request.ServerVariables (&quot;ALL_HTTP&quot, &quot;HTTP_COOKIE&quot
If (intPos > 0) Then
response.write &quot;Cookies enabled... &quot;
Else
response.write &quot;Cookies disabled ...&quot;
End If
response.write &quot;<br>FYI: ServerVariables=&quot; & Request.ServerVariables (&quot;ALL_HTTP&quot
%>

The page initially (fresh browser instance) always reports &quot;Cookies disabled ...&quot;. A subsequent refresh shows not only the presence of &quot;HTTP_COOKIE&quot; but what follows it is the ASP session cookie content. If subsequently turn cookie processin off in your browser, you'll see that token dissapear from the All_HTTP string.

 

[AlaskanDad]

I've got an add-on to this thread: Are there any online picture-based tutorials to SHOW how to turn on cookies for session variables to work?

My site requires the use of session variables and I run into the &quot;my cookies are off&quot; problem quite a bit. However, most of the answers above left off with something to the effect of &quot;Fix your cookies and THEN come talk to me.&quot;

My clientele is made up of mostly soccer moms. It's pretty easy to diagnose the problem. It's also easy to TELL them to fix it themselves (easy way out). My challenge: get them to fix their own browsers. If they don't, they don't use my site, I don't get paid. Getting paid is a good thing.

Does anyone have any suggestions for online picture-based tutorials? Pictures help as I'm working with folks who tell me they're using Microsoft Windows ME when I ask them which version of Internet Explorer they're using.

-Rob

 

[onpnt]

Hi there,
I would have to say write your own. go download snagit and jsut step through the process while snagging images of the actual screens. I used this for a work related procedure and it seemed to work real well.


____________________________________________________
[sub]The most important part of your thread is the subject line.
Make it clear and about the topic so we can find it later for reference. Please!! faq333-3811[/sub]

http://www.onpntwebdesigns.com

 

[Genimuse]

Many sites have apparently already described the process for multiple browsers:

http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=turn+cookies+netscape+explorer

 

[shaddow]

I knw that IE4 had a problem if you set the cookie path parameter, so I think this could be a problem in IE6, and not the cookie path parameter but others cookie parameters also

And as Vasah20 sayed if you want Session try to use SessionID as a link parameter and then set it to each ASP you want to use that Session. I'm not entirely shure it will work on ASP, but i knw it works on PHP.

________
George, M