Saving Browser State without Cookies

Gustavo Cordova gcordova at
Fri Feb 8 10:28:01 EST 2002

I've use two ways to pass session-ident-cookies without
using browser cookies:

1. Append "/xxxxxxx" to all program URIs, and retrieve that
   information via the PATH_INFO environment variable.

2. Send all form parameters via POST, and append "?xxxxxx"
   to the form's action URI; retrieve all parameters using
   a POST processor, and the session identifier is in QUERY_STRING.

But, most cgi packages are quite lame, the mash together
all POST and QUERY_STRING parameters, so you end up having to
modify them.

Also, IIS has trouble with PATH_INFO, you can't give it
a URI like:

because it'll search for a file "uusjw2233" in a directory
called "ackktthp.asp", which is not what you want. I've
used this successfully in Apache though, which correctly
passes "/uusjw2233" in the PATH_INFO parameter, to the
"ackktthp.cgi" program (no ASPs in Apache for me).

Ah! I've seen another one, but not everywhere.

You *could* use Apache's capabilities to remap URIs,
and construct URIs like this:

And you remap the ./xxxxxxxx/ directory to point to
the real application directory. When a user logs on,
you create the mapping, and when he logs off (or his
session expires) you destroy the mapping. Then, using
some judicious cutting (or regexing) you can extract
the session identifier (the "xxxxxx").

Another way is to use, if you have access to, a "wildcard"
domain, where anything of the form: ....

gets sent to:

you can parse the host name used, and obtain from there
the session identifier. I wouldn't know how to configure
the DNS for that though, but it's an idea.

So, choose your poison:

1. Client-side cookie.
2. Use POST params, and QUERY_STRING session identifier.
3. Use POST and GET params, and PATH_INFO session identifier.
4. Use a hidden form parameter.
5. Use a virtual directory mapping (apache?)
6. Use a "wildcard domain".

Others can give you more info.

Good luck!


More information about the Python-list mailing list