HTTP state management without cookies?
Jonathan Gardner
jgardn at alumni.washington.edu
Tue Feb 19 18:31:44 EST 2002
Lutz Schroeer wrote:
> Jumping from one script to the other I need to remember at least the
> user's name. The W3C recommends using cookies (RFC 2109). Unfortunately
> many people don't like cookies and filter them using WebWasher or a
> personal firewall.
>
> Is there any other technique for keeping the user's data while he is using
> my site without installing any large suite as Zope or the like? I've read
> an article about utilizing soft links but I didn't quite get the point.
>
A technique that I've tried and has been successful is to use some kind of
temporary UID. You have to be sure and pass it as a parameter to each
script the guy accesses however. You also have to have some kind of
expiration (within hours) and silently replace it as they progress.
The site had a login page. As soon as you logged in, it would set a cookie
and add the uid= param. It would always try to read the cookie, but failing
that, it would revert to the information connected to the uid. After a few
hours, it would ask the guy to log in again, but I found that this was rare.
There are security problems. I tried to force the guy to be coming from one
unique IP address, but I found that too many places have firewalls or
something that change the IP address of the user each time they access the
page, so I had to abandon that.
As with any method, it involves a fair bit of experimentation.
The easy way is still cookies. Tell the use to turn on cookies, tell them
what you are storing on the cookie, tell them it is temporary, or whatnot,
but you end up using cookies as the most reliable way of keeping state.
Jonathan
More information about the Python-list
mailing list