Leaving out the userreference in the URL does reduce opportunities for session hijacking.
I did think, however, that witango intelligently went after another variable if the cookie wasn't there, namely, the ALTUSERKEY=<@CGIPARAM CLIENT_IP> It's never worked for me (and I'd worry about shared user variables from multiple people behind the same NAT. I've based shopping carts on customers having cookies on, and posted the notice that no cookie, then they'll have to call or fax their orders in. One alternative is to have a single page order form with all the products, billto, shipto, and billing information on one monster form On 10/12/04 1:40 PM, "Fogelson, Steve" <[EMAIL PROTECTED]> wrote: > I have built my shopping cart application without <@userreference> tag at > the end of each url. It seemed after all the discussion about a year ago > that this was the way to go. Especially with search engine spiders and > hijacked sessions. > > I talked to one of our online customers today and discovered that he was > being assigned a new session id every time he added an item to his cart. > > I'm trying to figure out a strategy for handling customers that have > disabled cookies, besides requiring them to sign in when entering the site. > > Is there a way to check to see if they have cookies disabled? > > Any ideas on how to handle customers that have disabled cookies? > > I am also concerned about all the user variables being created for this type > of customer. Thanks in advance for your help. > > Steve Fogelson > Internet Commerce Solutions > > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
