Starting out - learned a little - want to know about session cookies.

Presumably session cookies only work when the user's browser has enabled cookies(?).

If you want to maintain a login session for browsers with cookies disabled, how do you do that?

(I can imagine one way - send the user name with every request - but this seems overkill and a little insecure.)

Cheers,

usmhot

I see it this way, if user has cookies disabled then their loss!

If you want to maintain a login session for browsers with cookies disabled, how do you do that?

(I can imagine one way - send the user name with every request - but this seems overkill and a little insecure.)That's exactly the alternative. It's called URL rewriting in Java and probably elsewhere. What you send, though, is the session ID rather than the authenticated user ID.

If you use a server side language such as PHP then you can create a session to hold the information that needs to be passed from page to page on the server. A session id needs to be passed client side as well and this is done using a session cookie if cookies are enabled. If cookies are not enabled then the session id is passed between pages in the query string instead. The rest of the information is held on the server so only a very small amount of information actually needs to be passed between pages in order to keep track of which info on the server belongs to which client.

Thanks for those replies.

One other thought - can you go down to lower layers to get the IP address (or some such other identifying info)? It strikes me that this would be more reliable and secure.

However, given the (aparent) ease of using session cookies, is it the case that there are so few people who disable cookies (at all levels, including ancient pcs with old browsers or pcs in web cafes) that I can effectively ignore that problem?

usmhot