Saving Browser State without Cookies

Paul Rubin phr-n2002a at
Fri Feb 8 01:55:42 CET 2002

"Steve Holden" <sholden at> writes:
> However, *if* PHP allows you to associate requests with session state, then
> *either*:
> a) it does use cookies, you just don't know about them, or
> b) it puts session references in the URL.
> There simply isn't any other available mechanism. So maybe what you're
> looking for is an interface that hides the cookie implementation from the
> programmer?

There are several other ways to track session:

- Hidden form fields populated by the server
- User data persistence (a messy and evil IE-specific cookie-like data store)
- SSL session identifier (beware, not guaranteed to be persistent)
- Put session tag in the URL of a surrounding or internal frame, and
  retrieve the tag with client side javascript (pass back to server via
  hidden form field).  That's a variant of the URL scheme but keeps the
  session tags out of the navigation bar.
- Maybe other stuff I haven't thought of
- Client side browser extensions can use various schemes of their own

The most important thing is not to send server-confidential information
like database passwords to the client under any circumstances, and do NOT
eval stuff that the client sends to the server (someone had suggested
a scheme like that).  Also, don't use the pickle module or the default
("smart") cookie objects from the cookie module to build cookie strings.

More information about the Python-list mailing list