AW: [Zope] Cookieless Session Management

Germer, Carsten carsten.germer@desy.de
Wed, 9 Apr 2003 10:03:18 +0200 

Hi there, just a quick note on the subject.
Cookieless session management can store the session ID in hidden form
elements, URL insertions, it can use referer, browserversion and IP-address,
etc. and mix all these to track the session/user. I know ZOPE
CookielessSession uses URL insertions, not sure if it uses the other tricks
as well.
The problem with cookieless session management in general is that it's less
reliable. If you use cookies you got em or not. If you use the other
techniques you _might_ run into a bunch of strange problems. URL-Insertion
with Flash or Javascript? Not always possible. IP-tracking with more then
one user behind a NAT-Router? Hardly. Users browsing your site with two
instances of the same browser on their desktop? Bummer.

I don't love cookies very much myself but if you run a site which may have
things like Flash or Javascript and especially if you run applications that
need to rely heavily on the session management (Shopping, complex
administration, login via form and not popup, etc.) I would strongly advise
to use cookies unless you know exactly what you're site is doing and how.

Not really that much Zope but I hope this helps :)

/Gem

> 
> On Mon, 2003-04-07 at 18:31, hpinson@indepthl.com wrote:
> > Hi Chris-- thanks for the reference.
> > 
> > Is there some drawback to using a session model that stores session 
> > information in server memory (CookielessSession) as opposed 
> to a URL-
> > based" sessioning mechanism, like Zope uses?  
> 
> Somehow state needs to be kept between requests to implement
> sessioning.  (each request to an HTTP server is "fresh", no state is
> kept between them, this is why cookies are often used for sessioning
> because they implement a means of tracking state between requests).
> 
> I'm not sure how CookielessSession does this, but if it doesn't use
> cookies, it likely either uses query strings, hidden form elements, or
> URL insertions just like the stock Zope sessioning stuff.
> 
> > I don't know if you or anyone else has experience with the 
> > CookielessSession Product-- it seems to much easier to use than 
> > Zope's mechanism.  It has not failed after two projects 
> (light usage 
> > only).  
> 
> No, sorry, I don't have any experience with it.  If it works for you,
> I'd say use it!
> 
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>