ways of maintaining HTTP states without session or coockies
Moderator: General Moderators
-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
ways of maintaining HTTP states without session or coockies
Hi there,
This is an interesting topic, I am working on a project as per my supervisor's guidelines. He suggested that I look out for options where as connection between pages can be maintained without using PHP sessions or cookies. I have used GET or POST methods but wonder if you know of any other ways to get the same job done.
Much appreciated
This is an interesting topic, I am working on a project as per my supervisor's guidelines. He suggested that I look out for options where as connection between pages can be maintained without using PHP sessions or cookies. I have used GET or POST methods but wonder if you know of any other ways to get the same job done.
Much appreciated
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
There are other ways, sure, but the principles are basically the same.
Cookies allow client side persistence, whereas sessions are server side. Instead of using PHP built in sessions support, you could write your own or override the default session storage to use a database instead of files.
Why wouldn't you just use SESSIONS though? I have only worked on maybe a dozen servers which didn't properly have SESSIONS configured, these were window machines which needed slight adjustment.
SESSIONS support is probably available 99.9999% of the time making it almost useless to use any other method.
Why are you required to use something other than?
Cookies allow client side persistence, whereas sessions are server side. Instead of using PHP built in sessions support, you could write your own or override the default session storage to use a database instead of files.
Why wouldn't you just use SESSIONS though? I have only worked on maybe a dozen servers which didn't properly have SESSIONS configured, these were window machines which needed slight adjustment.
SESSIONS support is probably available 99.9999% of the time making it almost useless to use any other method.
Why are you required to use something other than?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
The only other remotely reliable way to maintain state between requests is to use a querystring identifier from request to request, then store that identifier somewhere on the server that keys it to certain snippets of the session.
Of course, that is exactly what PHP sessions do, so why you want to reinvent the wheel is beyond me, but that is the essence of it.
Of course, that is exactly what PHP sessions do, so why you want to reinvent the wheel is beyond me, but that is the essence of it.
-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
Everah and Hockey,
Thank you guys for your reply. To be honest with you, I have worked with Session and loved it. My supervisor still insist that I use either query string, or hidden html fields to maintain state from request to request. Now, I am seriously thinking of making use of session. But this is a Masters dissertation, my supervisor needs to be convinced (so far he is not so happy with session, he thinks session has a time status, and session variable dies out with time).
He wants a system that allows user to come back and use the same url (given during their order processing ) and they can still view their shopping cart's content no matter how long after they have come back to the site. The url will ideally be on their electronic invoice that they can print out (point is they will have access to the url). I have the restriction of using the database design suggested by him, so not enough freedom to be able to store that url in the given design.
So, this is a bit complicated. I know i cannot convince him to use cookies (big privacy issue) but in support of session and the problem I have mentioned above, if you have any answer, even if a line or two please do not hesitate to post.
Another little thing, anybody would be interested to 'walkthough' my Tinycart API (It is a open source software, one day might possibly be like zen-cart or agora cart)? The API is not long or anything complicated but it's just that I can use this feedback to include in my report writing.
Many Thanks for your help again .
Thank you guys for your reply. To be honest with you, I have worked with Session and loved it. My supervisor still insist that I use either query string, or hidden html fields to maintain state from request to request. Now, I am seriously thinking of making use of session. But this is a Masters dissertation, my supervisor needs to be convinced (so far he is not so happy with session, he thinks session has a time status, and session variable dies out with time).
He wants a system that allows user to come back and use the same url (given during their order processing ) and they can still view their shopping cart's content no matter how long after they have come back to the site. The url will ideally be on their electronic invoice that they can print out (point is they will have access to the url). I have the restriction of using the database design suggested by him, so not enough freedom to be able to store that url in the given design.
So, this is a bit complicated. I know i cannot convince him to use cookies (big privacy issue) but in support of session and the problem I have mentioned above, if you have any answer, even if a line or two please do not hesitate to post.
Another little thing, anybody would be interested to 'walkthough' my Tinycart API (It is a open source software, one day might possibly be like zen-cart or agora cart)? The API is not long or anything complicated but it's just that I can use this feedback to include in my report writing.
Many Thanks for your help again .
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Sessions do have time limitations, but these can be easily worked through. The lack of security involved in relying on a querystring or form field is astounding. Even suggesting such a thing is odd.
Sessions, at their very core, are either going to set a cookie with the session id or, if the cookie cannot be set, will pass to the querystring the session id so that it is carried throughout the app. But this is really a bad design requirement when there are tools available for this.
And as far as being able to come back anytime you want in the future and see where you were when you left off just by visiting a URL... well that is only going to happen with cookies. Unless you require your users to login, in which case you can store data tied to their login and recall then when they login again.
Good luck with your project. This might not have a happy ending if you stay under the requirements you are under.
Sessions, at their very core, are either going to set a cookie with the session id or, if the cookie cannot be set, will pass to the querystring the session id so that it is carried throughout the app. But this is really a bad design requirement when there are tools available for this.
And as far as being able to come back anytime you want in the future and see where you were when you left off just by visiting a URL... well that is only going to happen with cookies. Unless you require your users to login, in which case you can store data tied to their login and recall then when they login again.
Good luck with your project. This might not have a happy ending if you stay under the requirements you are under.
-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
------- Sessions do have time limitations, but these can be easily worked through.
Can you point me to any article?
http://www.developerfusion.co.uk/show/2234/ here is one that discusses about pros and cons of session ..just reading it now.
Can you point me to any article?
http://www.developerfusion.co.uk/show/2234/ here is one that discusses about pros and cons of session ..just reading it now.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Well.. the garbage collector, by default, kills "stale" sessions. A good thing, and not so good thing.. depending on how stale you wish to allow sessions to get. The default threshold for stale isn't all that long (24 minutes.) ... however the garbage collector only runs every so often.
I prefer to shift sessions to my control. Under a database they are shifted away from file-based, which can be far easier to compromise on improperly set up hosts.
I prefer to shift sessions to my control. Under a database they are shifted away from file-based, which can be far easier to compromise on improperly set up hosts.
He can! That's why you need a second hidden field - the HMAC value - it is the "fingerprint" of your data, generated by using a server-side secret key.crazytopu wrote:Hidden HTML field does the same thing, isnot it? User cant edit its value.
There are 10 types of people in this world, those who understand binary and those who don't
An example of HMAC function:
Code: Select all
function hmac($algo, $data, $passwd)
{
/* md5 and sha1 only */
$algo = strtolower($algo);
$p = array('md5'=>'H32','sha1'=>'H40');
if(strlen($passwd) > 64) $passwd=pack($p[$algo], $algo($passwd));
if(strlen($passwd) < 64) $passwd=str_pad($passwd, 64, chr(0));
$ipad = substr($passwd, 0, 64) ^ str_repeat(chr(0x36), 64);
$opad = substr($passwd, 0, 64) ^ str_repeat(chr(0x5C), 64);
return($algo($opad.pack($p[$algo], $algo($ipad.$data))));
}
Last edited by VladSun on Tue Mar 10, 2009 5:28 pm, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't