Super Badrat Poll

Log in

12:25 pm August 24th, 2006

Or connect using:

Error Username:

Error Password: Forgot password?

Remember me

Forgot password?

Create an Account




			Super Badrat Poll - I Am My Avatar Big Warm Fuzzy Public Heart

boutell


	Super Badrat Poll
	I'd like to learn more about the practicality of using session cookies in web applications. Session cookies are pieces of information stored temporarily on your web browser just for the time you spend logged in to a web site, usually to maintain your logged-in-ness without the need for awkward and obnoxious URLs and other workarounds. Poll #805634 Open to: All, detailed results viewable to: All. Participants: 41 Is your usual web browser set up to accept session cookies? View Answers Yes 32(78.0%) No 2(4.9%) I Don't Know 1(2.4%) I enable this site by site 6(14.6%) How about cookies kept for longer periods of time? View Answers Yes 24(58.5%) No 3(7.3%) I Don't Know 2(4.9%) I enable this site by site 12(29.3%) What OS do you primarily use when browsing? View Answers MacOS X 10(24.4%) Windows 24(58.5%) Some Other (Unix or Linux) 7(17.1%) Something Else Entirely 0(0.0%) Tags: geek, web

5 comments or Leave a comment


	Comments

	From: notshakespeare	Date: August 24th, 2006 04:45 pm (UTC)		(Link)

Most often I'm using IE at work. Cookies are enabled with the exception of blacklisted sites.

(Reply) (Thread)

	From: da_lj	Date: August 24th, 2006 05:15 pm (UTC)		(Link)

chose 'mac' because that's what I'm on right now (home). But at work, linux.

(Reply) (Thread)

	From: iamo	Date: August 24th, 2006 05:38 pm (UTC)		(Link)

URL-based sessions are not just awkward, they're dangerous, since people like to share links. If you bind them by IP, you get all the problems you get when you do that with cookies. Namely, proxy suckiness. And the most likely affected by the proxy suckiness are also the ones most likely to not understand the implications of passing their links around (*cough*AOL*cough*).

(Reply) (Thread)

	From: boutell	Date: August 24th, 2006 06:51 pm (UTC)		(Link)

Oh, I absolutely agree with you about the awfulness of sessions implemented via URLs. You can make the system tolerant of expired session IDs in URLs, but it's still crappy for pages that are meant to be accessible both when logged in and not logged in. People link to them and search engines don't know how to combine the links into a reasonable estimate of the page's popularity.

But the results of this informal poll show that a disproportionately technical and privacy-minded group of people have accepted session cookies as harmless, or at least necessary. Which means I can recommend site designs that require them for logged-in features, unless you're stuck with an arbitrary no-cookies decree from on high.

Another semi-acceptable approach is to keep session ID information in forms and make every single link on the site a POST-method form submission. That can work and have reasonable, indexable links if it's done very carefully. But it leads to weird site designs, with buttons used where normal links would be perfectly appropriate. It's very 1995.

(Reply) (Parent) (Thread)

From: cks	Date: August 25th, 2006 08:33 pm (UTC)		(Link)

A modest suggestion, in general: if you're going to use session cookies for logins because they're more prone to being accepted by browsers, please send a persistent cookie too and accept either. That way, the people who actually do accept all your cookies don't have to log in again (and again) every time they restart their browser for whatever reason.

(Some websites are busy annoying me with this session cookie only trick at the moment; right now I wind up restarting my browsers relatively often, which means pretty much every visit to them involves yet another trip through their login pages. As you can imagine, it is somewhat of a disincentive to visits.)

(Reply) (Thread)


	5 comments or Leave a comment