Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Eternal Debate: Cookies vs. Sessions vs. QueryString

Reply
Thread Tools

Eternal Debate: Cookies vs. Sessions vs. QueryString

 
 
=?Utf-8?B?UGF1bA==?=
Guest
Posts: n/a
 
      12-09-2005
Here is a question that should get everyone going.

I have an ecommerce site where I need to pass the order_id to every page. So
which method is the best practice to pass this variable between pages:
Cookies or Session variable or by the HTTP header (either GET querystring or
POST form)?

I do not like to use sessions because they time out after 20 minutes of
inactivity.

I do not like to use cookies because the user can disable the use of cookies
through their browser setttings.

I am not big on the querystring/form method but it looks like it might be
the safest way to ensure the app will not break.

Is there a document which talks about the best practice to do this?

TIA.
 
Reply With Quote
 
 
 
 
zoli
Guest
Posts: n/a
 
      12-09-2005

Paul wrote:
> Here is a question that should get everyone going.
>
> I have an ecommerce site where I need to pass the order_id to every page. So
> which method is the best practice to pass this variable between pages:
> Cookies or Session variable or by the HTTP header (either GET querystring or
> POST form)?
>
> I do not like to use sessions because they time out after 20 minutes of
> inactivity.
>
> I do not like to use cookies because the user can disable the use of cookies
> through their browser setttings.
>
> I am not big on the querystring/form method but it looks like it might be
> the safest way to ensure the app will not break.
>
> Is there a document which talks about the best practice to do this?
>
> TIA.


 
Reply With Quote
 
 
 
 
zoli
Guest
Posts: n/a
 
      12-09-2005
Paul have a look at this (it is from the 3schools site)
http://www.w3schools.com/asp/asp_cookies.asp

It might be the answer you are looking for?


What if a Browser Does NOT Support Cookies?
---------------------------------------------------------------------
If your application deals with browsers that do not support cookies,
you will have to use other methods to pass information from one page to
another in your application. There are two ways of doing this:

1. Add parameters to a URL
You can add parameters to a URL:

<a href="welcome.asp?fname=John&lname=Smith">
Go to Welcome Page</a>

And retrieve the values in the "welcome.asp" file like this:

<%
fname=Request.querystring("fname")
lname=Request.querystring("lname")
response.write("<p>Hello " & fname & " " & lname & "!</p>")
response.write("<p>Welcome to my Web site!</p>")
%>

2. Use a form
You can use a form. The form passes the user input to "welcome.asp"
when the user clicks on the Submit button:

<form method="post" action="welcome.asp">
First Name: <input type="text" name="fname" value="">
Last Name: <input type="text" name="lname" value="">
<input type="submit" value="Submit">
</form>

Retrieve the values in the "welcome.asp" file like this:

<%
fname=Request.form("fname")
lname=Request.form("lname")
response.write("<p>Hello " & fname & " " & lname & "!</p>")
response.write("<p>Welcome to my Web site!</p>")
%>

 
Reply With Quote
 
Kevin Spencer
Guest
Posts: n/a
 
      12-09-2005
Hi Paul,

Passing an order_id to every page could be a problem, as a hacker could use
the order_id to perform various types of nefarious operations, depending
upon how well you defend your app. Cookies can be a problem. Even Session
Cookies can be a problem, but most browsers allow Session Cookies. I would
recommend using Session, as it keeps all the private data on the server.
Just make sure and account for a timed-out Session.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
You can lead a fish to a bicycle,
but you can't make it stink.

"Paul" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Here is a question that should get everyone going.
>
> I have an ecommerce site where I need to pass the order_id to every page.
> So
> which method is the best practice to pass this variable between pages:
> Cookies or Session variable or by the HTTP header (either GET querystring
> or
> POST form)?
>
> I do not like to use sessions because they time out after 20 minutes of
> inactivity.
>
> I do not like to use cookies because the user can disable the use of
> cookies
> through their browser setttings.
>
> I am not big on the querystring/form method but it looks like it might be
> the safest way to ensure the app will not break.
>
> Is there a document which talks about the best practice to do this?
>
> TIA.



 
Reply With Quote
 
=?Utf-8?B?RWx0b24gVw==?=
Guest
Posts: n/a
 
      12-09-2005
Hi Kevin,

If it is in web farm, can session be retrieved in different machine?

Thanks,


Elton Wang

"Kevin Spencer" wrote:

> Hi Paul,
>
> Passing an order_id to every page could be a problem, as a hacker could use
> the order_id to perform various types of nefarious operations, depending
> upon how well you defend your app. Cookies can be a problem. Even Session
> Cookies can be a problem, but most browsers allow Session Cookies. I would
> recommend using Session, as it keeps all the private data on the server.
> Just make sure and account for a timed-out Session.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> ..Net Developer
> You can lead a fish to a bicycle,
> but you can't make it stink.
>
> "Paul" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Here is a question that should get everyone going.
> >
> > I have an ecommerce site where I need to pass the order_id to every page.
> > So
> > which method is the best practice to pass this variable between pages:
> > Cookies or Session variable or by the HTTP header (either GET querystring
> > or
> > POST form)?
> >
> > I do not like to use sessions because they time out after 20 minutes of
> > inactivity.
> >
> > I do not like to use cookies because the user can disable the use of
> > cookies
> > through their browser setttings.
> >
> > I am not big on the querystring/form method but it looks like it might be
> > the safest way to ensure the app will not break.
> >
> > Is there a document which talks about the best practice to do this?
> >
> > TIA.

>
>
>

 
Reply With Quote
 
=?Utf-8?B?UGF1bA==?=
Guest
Posts: n/a
 
      12-12-2005
Why are cookies a problem?

When you say "Make sure you account for a timed-out session", what do you
mean? If I store the variable in a session variable, and the session times
out, then I lose the order. Even if I do a check to see if the session timed
out, it still means that the order will be invalid because I will have lost
order id?

I like session variables also but I have a problem with the timeout.

I think cookies are the best solution, why do you think they are a problem?



"Kevin Spencer" wrote:

> Hi Paul,
>
> Passing an order_id to every page could be a problem, as a hacker could use
> the order_id to perform various types of nefarious operations, depending
> upon how well you defend your app. Cookies can be a problem. Even Session
> Cookies can be a problem, but most browsers allow Session Cookies. I would
> recommend using Session, as it keeps all the private data on the server.
> Just make sure and account for a timed-out Session.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> ..Net Developer
> You can lead a fish to a bicycle,
> but you can't make it stink.
>
> "Paul" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Here is a question that should get everyone going.
> >
> > I have an ecommerce site where I need to pass the order_id to every page.
> > So
> > which method is the best practice to pass this variable between pages:
> > Cookies or Session variable or by the HTTP header (either GET querystring
> > or
> > POST form)?
> >
> > I do not like to use sessions because they time out after 20 minutes of
> > inactivity.
> >
> > I do not like to use cookies because the user can disable the use of
> > cookies
> > through their browser setttings.
> >
> > I am not big on the querystring/form method but it looks like it might be
> > the safest way to ensure the app will not break.
> >
> > Is there a document which talks about the best practice to do this?
> >
> > TIA.

>
>
>

 
Reply With Quote
 
m.posseth
Guest
Posts: n/a
 
      12-12-2005
Hello Paul ,


Cookies are a problem in this situation because they have a size limit ( to
be exact 4096 bytes wich means that you can store a string of 255
characters max )

you can extend the session timeout if you feel that 20 minutes inactivity
( =default ) is to short to close the session

what i also do in my programs is storing info in hidden form fields

see this website for an example how session vars would work
http://www.bildelskatalogen.se/ ( swedish ,, but it is pretty clear )


regards

Michel Posseth [MCP]





"Paul" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Why are cookies a problem?
>
> When you say "Make sure you account for a timed-out session", what do you
> mean? If I store the variable in a session variable, and the session times
> out, then I lose the order. Even if I do a check to see if the session
> timed
> out, it still means that the order will be invalid because I will have
> lost
> order id?
>
> I like session variables also but I have a problem with the timeout.
>
> I think cookies are the best solution, why do you think they are a
> problem?
>
>
>
> "Kevin Spencer" wrote:
>
>> Hi Paul,
>>
>> Passing an order_id to every page could be a problem, as a hacker could
>> use
>> the order_id to perform various types of nefarious operations, depending
>> upon how well you defend your app. Cookies can be a problem. Even Session
>> Cookies can be a problem, but most browsers allow Session Cookies. I
>> would
>> recommend using Session, as it keeps all the private data on the server.
>> Just make sure and account for a timed-out Session.
>>
>> --
>> HTH,
>>
>> Kevin Spencer
>> Microsoft MVP
>> ..Net Developer
>> You can lead a fish to a bicycle,
>> but you can't make it stink.
>>
>> "Paul" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Here is a question that should get everyone going.
>> >
>> > I have an ecommerce site where I need to pass the order_id to every
>> > page.
>> > So
>> > which method is the best practice to pass this variable between pages:
>> > Cookies or Session variable or by the HTTP header (either GET
>> > querystring
>> > or
>> > POST form)?
>> >
>> > I do not like to use sessions because they time out after 20 minutes of
>> > inactivity.
>> >
>> > I do not like to use cookies because the user can disable the use of
>> > cookies
>> > through their browser setttings.
>> >
>> > I am not big on the querystring/form method but it looks like it might
>> > be
>> > the safest way to ensure the app will not break.
>> >
>> > Is there a document which talks about the best practice to do this?
>> >
>> > TIA.

>>
>>
>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Give Request.Cookies and Response.Cookies is there any reason to use another method to use cookies? _Who ASP .Net 7 09-18-2008 07:49 PM
Want to know about sessions,veiwstate,querystring,cookies hawks26 ASP .Net 1 11-09-2007 09:57 PM
Cookieless Sessions (Sessions Without Cookies) and Security scottymo ASP .Net Security 3 09-29-2006 11:00 PM
How to get value of QueryString inside QueryString Mehdi ASP .Net 6 04-06-2006 03:41 PM
Passing QueryString URL as a paremeter in QueryString Adeel Ahmad ASP General 1 03-07-2006 02:05 PM



Advertisments