http session state management for iis and apache - cookie, and cookieless url query parameter or hidden input form fieldhttp session state management for iis and apache - cookie, and cookieless url query parameter or hidden input form field is a survey of the available techniques for managing client browser sessions under the stateless http protocol. Note that state cannot be maintained by a static html page but it can be maintained across such a page as long as the end points are dynamic cgi, isapi, asp, asp.net, or php scripts. This is true whether the pages are deployed on an iis or apache server. The basis of the difficulty in maintaining session state is that the http protocol is stateless. It has no concept of state and thus lacks any defined mechanisms for maintaining state on behalf of any internet application. For static web sites, the characteristic stateless nature of the http protocol poses no problems. It is only when the original use of the protocol is extended to create user centric internet applications that this statelessness becomes a design restriction. Applications such as chat boards, blogs, shopping carts, b2b ecommerce, portal, web mail and membership subscription management all require the server to be able to recognise individual users as distinct from other users and respond correctly for that user uniquely. This is true whether or not user login is required. For example, using a shopping cart may not require a user login, but it does require that the contents of the shopping cart be tied to a particular user session.
cookies As you might guess, cookies are particularly attractive as a means of maintaining session identity. The downside is that users are becoming resistant to the use of cookies due to security concerns as explained in another article about hotlink prevention. The result is that if cookies are chosen to maintain session state this requirement must be explicitly detailed on your site, and the application must test that cookies are turned on for each new session. It may be found that some users are more accepting of session cookies than persistent cookies. A session cookie is not stored on the user system and will disappear once all browser windows are shutdown. These are created by simply not specifying an expiry in the cookie properties. Other cookie properties that are of interest to the application designer are the cookie security property and the cookie path property.
cookieless The third option for preserving session state is the use of query parameters in requests passed to the server. This entails that the server modify every link url in a page to append the tracking data for a particular as query parameters. At first glance, this might appear to be unusable with forms employing the post verb as its method property. However, it appears that both the request parameters and the body entity (form data) are passed to the underlying scripting engines registered as html handlers on the server. The downside, again, is that the url in the type in bar is fairly messy and available for experimentation by users.
persistence
security If the reader has arrived at the conclusion that maintaining session state reliably is difficult in a production environment where control of the end client is not possible then the correct conclusion has been made. Because of the popularity of internet, and the growth of internet applications, session state management has become the holy grail of site architects. There are too few tools to achieve it, and yet it is an absolute requirement for many uses. Search terms which will yield additional information on the techniques for session management include the following:
to link to this page from your pages, copy the code from the box below and add it to the your page where you want the link to appear
© 2003, all rights reserved
|