At 09:17 PM 2/24/00 +0100, harm wrote:
>Sure. But you should generate te session the moment someone enters the
>site. That will always work.
Unless they back up to the home page, which isn't unheard of. I suppose you
could reload the first page they hit using a meta tag after creating the
session or something but that doesn't work on all browsers either. On my
site it's a likely scenario - it's a subscription based service, and most
links from the home page make you log in. So if you click a link, log in,
read the page, and back up, you're no longer logged in without cookies.
>Hmm, we started with a shoppingkart, yes. But we went to cookies, and
>session tracking, in general. The only drawback of using formvariables
>in stead of cookies is the fact you lose it when you leave the site. Which
>I find a big advantage.
Don't forget the back arrow issue. It's also more work developing and
debuggin, and places more load on your server since you must dynamically
generate every page to include the session info in the link, even those
that aren't secured.
> > Basically, you are talking about designing a site with less functionality
> > than cookies, but this benefits (probably) less than 5% of the people out
> > there. So 95% of your users are going to potentially lose their shopping
>There isn`t less functionality. The only thing you lose is your
>automatically-filled-in-creditcard number. Big loss.
I'm talking about potential session loss as for reduced functionality.
> > kart contents, and the other 5% might be pissed of when they see that
> > up there and realize they are being tracked.
>... but when he comes back he has a different one. How nice!
I don't think this matters, as I said you can still link sessions using
other info, and the fact is you are following their pattern within a
session and could use that info within a single session to display certain
adz or whatever.
>and think 'Wow! They respect my privacy, how nice! Next time I`ll by my
>stuff here again!'
We're talking about such a small portion of users.
In actuality, my web site uses both versions. I originally developed it
NOT using cookies and found that the session loss when a user backs up to
the home page was an egregious problem for many users. So I added a simple
cookie that stores the same code on their machine. So the page
authentication first checks for a cookie. If no cookie is found, it checks
for the session query variable. So perhaps this is the best of all
worlds... for most people, they get a cookie and it just works. For any
non cookiers it will still work unless they back up to the home page after
logging in. But if I did it again I doubt I would go through the trouble
of tracking sessions on each link.
But again, this is a subscriber service, so the privacy issue is very
different since by nature of having a login and password, we could link
sessions no matter what.