One easy way to find out if the original site uses cookies is by using lynx
with the "mime_header" argument:
lynx -mime_header http://e-commerce-site-in-question/foo/bar | less
This will print out the HTTP headers before the content, like show below:
HTTP/1.1 200 OK
Date: Fri, 25 May 2001 18:04:32 GMT
Server: Apache/1.3.12 (Unix)
Expires: Thu, 24 May 2001 18:04:33 GMT
Pragma: no-cache
Set-Cookie: FOO=BAR; domain=e-commerce-site-in-question; path=/cgi-bin
Connection: close
Content-Type: text/html
<HTML>
<HEAD>
---snip---
If that "Set-Cookie" header is there, the script uses cookies. The
-mime_header argument may vary by version of lynx (i think). Check the man
page if the syntax above doesn't work.
Alternatively, you can telnet to port 80 of the website and do a "GET
/path/to/script". Just make sure you have lots of scrollback if the page has
lots of content. =P
P.S. I'm pretty sure Explorer 5.x does NOT store session cookies on disk,
but other browsers may.
--Alex
> -----Original Message-----
> From: Joe Breeden
> Sent: Friday, May 25, 2001 12:55 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: Apache::Session / No-Cookie-Tracking
>
>
> Seems like the site in question is using either a hidden form
> element or a
> session cookie. I'm guessing that with the session being only
> valid as long
> as the browser window is open a session cookie is being used.
> The reason you
> don't see this in the Cookie directory for you particular
> browser is that
> these cookies are stored in the memory - they are not to be
> save after the
> browser session is over. I hope that helps.
>
> Joe Breeden
>
> --------------------------
> Sent from my Outlook 2000 Wired Deskheld (www.microsoft.com)
>
>
> -----Original Message-----
> From: Jonathan Hilgeman [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 25, 2001 11:29 AM
> To: '[EMAIL PROTECTED]'
> Subject: FW: Apache::Session / No-Cookie-Tracking
>
>
> Sure - I believe in magic, depending on your definition of it. I KNOW
> there's a 4th method, because I've seen it work. There is an
> e-commerce web
> site which uses an outside cart programmed in CGI (Perl?).
> The original web
> site passes no identifying marks such as the session ID
> through the URL or
> through the form's submit button to add an item to the cart.
> I know, because
> I designed and created the web site.
>
> However, when the visitors hit the submit button, they are
> taken to another
> program/website containing their shopping basket filled with
> their items. I
> have figured out that it relies somewhat on the IP address, but not
> completely, because I have tested it behind the firewall and the other
> computer behind the firewall with me does not share the same basket.
>
> Once I am at that screen (viewing the contents of my cart on
> the program),
> there are other links which contain a session ID of sorts
> carried via the
> URL. The thing that is driving my head crazy is how they
> identify the user
> in the first place to create the links with the session ID.
>
> I accidentally caught them during testing or something and
> got a variable on
> the URL line. (I substituted the domain name - it's not
> really cart.com)
> http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T
> 990806951R5848
> E
>
> cartidnum seems to be:
> $IP-Address + "T" + Unix-TimeStamp + "R" + Unknown number + "E"
>
> By the way, the session only seems to active until the
> browser completely
> shuts down. Any ideas? If I could identify my users on
> another site without
> using cookies at all, that would be fantastic!
>
> Jonathan
>
> -----Original Message-----
> From: Ilya Martynov [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 25, 2001 9:02 AM
> To: Jonathan Hilgeman
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: Apache::Session / No-Cookie-Tracking
>
>
>
> JH> I want to be able to track visitors without the use of cookies.
> JH> I don't want to rely on IP address, because people behind
> proxies and
> JH> firewalls seem to have the same IP address.
> JH> I don't want to rely on a session ID variable being
> always present in
> the
> JH> URL, in case the window gets closed or changed.
> JH> Now, two questions:
>
> JH> 1) Will Apache::Session provide an environment variable like
> JH> HTTP_USER_AGENT that will contain an identifier that will always
> JH> be consistent for that specific user, despite proxies and
> JH> firewalls, and despite the changing/closing of windows?
>
> JH> 2) If not, does anyone know of a good way to do this?
>
> Do you believe in magic? :)
>
> The only way to track visitors is either:
>
> 1) use cookies
>
> 2) use session ID variable in URI and/or hidden field with session ID
> in forms
>
> 3) use IPs (which is bad because it is completely broken approach)
>
> 4) use HTTP authorization (which is not always convenient because
> requires user registration)
>
> Apache::Session can only create persistent storage of session
> data. Each session data identified by some session ID. This ID should
> be taken from somewhere (see above).
>
> --
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> -=-=-=-=-=-
> | Ilya Martynov (http://martynov.org/)
> |
> | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A
> 53EB 323B DEE6 |
> | AGAVA Software Company (http://www.agava.com/)
> |
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> -=-=-=-=-=-
>
