?

Log in

entries friends calendar profile Goode Trouble Previous Previous Next Next
Super Badrat Poll - I Am My Avatar
Big Warm Fuzzy Public Heart
boutell
boutell
Super Badrat Poll
I'd like to learn more about the practicality of using session cookies in web applications. Session cookies are pieces of information stored temporarily on your web browser just for the time you spend logged in to a web site, usually to maintain your logged-in-ness without the need for awkward and obnoxious URLs and other workarounds.

Is your usual web browser set up to accept session cookies?

Yes
32(78.0%)
No
2(4.9%)
I Don't Know
1(2.4%)
I enable this site by site
6(14.6%)

How about cookies kept for longer periods of time?

Yes
24(58.5%)
No
3(7.3%)
I Don't Know
2(4.9%)
I enable this site by site
12(29.3%)

What OS do you primarily use when browsing?

MacOS X
10(24.4%)
Windows
24(58.5%)
Some Other (Unix or Linux)
7(17.1%)
Something Else Entirely
0(0.0%)

Tags: ,

5 comments or Leave a comment
Comments
notshakespeare From: notshakespeare Date: August 24th, 2006 04:45 pm (UTC) (Link)
Most often I'm using IE at work. Cookies are enabled with the exception of blacklisted sites.
da_lj From: da_lj Date: August 24th, 2006 05:15 pm (UTC) (Link)
chose 'mac' because that's what I'm on right now (home). But at work, linux.
iamo From: iamo Date: August 24th, 2006 05:38 pm (UTC) (Link)
URL-based sessions are not just awkward, they're dangerous, since people like to share links. If you bind them by IP, you get all the problems you get when you do that with cookies. Namely, proxy suckiness. And the most likely affected by the proxy suckiness are also the ones most likely to not understand the implications of passing their links around (*cough*AOL*cough*).
boutell From: boutell Date: August 24th, 2006 06:51 pm (UTC) (Link)
Oh, I absolutely agree with you about the awfulness of sessions implemented via URLs. You can make the system tolerant of expired session IDs in URLs, but it's still crappy for pages that are meant to be accessible both when logged in and not logged in. People link to them and search engines don't know how to combine the links into a reasonable estimate of the page's popularity.

But the results of this informal poll show that a disproportionately technical and privacy-minded group of people have accepted session cookies as harmless, or at least necessary. Which means I can recommend site designs that require them for logged-in features, unless you're stuck with an arbitrary no-cookies decree from on high.

Another semi-acceptable approach is to keep session ID information in forms and make every single link on the site a POST-method form submission. That can work and have reasonable, indexable links if it's done very carefully. But it leads to weird site designs, with buttons used where normal links would be perfectly appropriate. It's very 1995.
From: cks Date: August 25th, 2006 08:33 pm (UTC) (Link)
A modest suggestion, in general: if you're going to use session cookies for logins because they're more prone to being accepted by browsers, please send a persistent cookie too and accept either. That way, the people who actually do accept all your cookies don't have to log in again (and again) every time they restart their browser for whatever reason.

(Some websites are busy annoying me with this session cookie only trick at the moment; right now I wind up restarting my browsers relatively often, which means pretty much every visit to them involves yet another trip through their login pages. As you can imagine, it is somewhat of a disincentive to visits.)

5 comments or Leave a comment