Page 1 of 1

Cookieless sessions, passports, or other methods

Posted: Sat Mar 26, 2011 11:17 pm
by nakins
I'm stepping up into managed user territory and I'm trying to find out what the "state of the art" is or the options are besides the usual cookies and php sessions. For my site's purpose, I'm interested in using Shibboleth and LDAP to authenticate users. I've been working on setting up the LDAP server and have it to a point where I can consider other things like sessions/user tracking, plus iframe and wap applications.

In my day job, I work with a couple of web applications from a couple of vendors that can really pull a vacuum at times. It is largely related to how they use cookies and sessions. I don't mind using first party cookies, but they are going to be problematic for iframes and cell phone apps. I thought is there was a better way to deal with all this, I might as well learn it now.

I've done a little searching on cookieless sessions, but haven't found much yet that was new or authoritative. I read a thread here that mentioned passports, but it wasn't explained.

I would really like to hear your opinions and suggestions on things I've mentioned.

Thank you

Re: Cookieless sessions, passports, or other methods

Posted: Sun Mar 27, 2011 2:48 am
by Mordred
Whatever the authentication scheme you want to use is, you have to somehow identify the user in the end. In order to do it without stepping out of the HTTP transport you have to pass the identification token on the HTTP stream. From that point of view, whether you use one-time passwords, session ids, client sertificates or whatever, the token must travel in the HTTP request line (i.e. as a GET parameter), in a HTTP header (as a cookie for example) or in the body (as a POST form parameter). If some of these transport options doesn't suit you (e.g., a browser not supporting cookies) then choose another. If you don't like any of the three, then use another transport.

Re: Cookieless sessions, passports, or other methods

Posted: Sun Mar 27, 2011 1:44 pm
by nakins
Thanks. That really clarified everything.