Re: Witango-Talk: Cookies

[Bill Conlon]

I only use session cookies on our sites.  The swish-e spider we use for  
site indexing has a cookie option, and I presume most commercial  
spiders do as well.  This is very important to turn on, as otherwise  
every request from the spider would spawn a new userreference and  
corresponding user variables.  Spidering locally at full speed might  
not be pretty.

Of course, if an external spider doesn't use a cookie, it could eat up  
your user sessions.  But only for the parts of a site that don't demand  
user authentication (as correlated by the session cookie).

On Wednesday, October 13, 2004, at 06:36  AM, Fogelson, Steve wrote:
Thanks for all the comments guys. I was thinking along the lines of  
Scott. I
was wondering if there was a way to check to see if cookies were  
enabled. I
was just going to let them know and not let them continue until  
cookies were
invoked.

How would this affect search engine spiders? Maybe I need to let them
continue (and just notify them that the shopping cart will not retain  
their
selections) or the spiders will not get their work done. Any comments?

I like the idea of providing instructions for them.
Now I need to figure out how to check for cookies. Thanks Ben for the  
link.

Thanks
Steve
-----Original Message-----
From: John McGowan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 13, 2004 8:25 AM
To: [EMAIL PROTECTED]
Subject: Re: Witango-Talk: Cookies
Listen to Scott on this one.  If you can educate just one user that
turning session cookies back on isn't going to blow up their computer  
or
get their credit card stolen then our society becomes one step closer  
to
nirvana.

If you were an auto dealer and a customer brought their car in and said
they didn't "like to have the battery plugged in", but wanted to know
why they couldn't start their car,  would you install a hand crank for
them to start their car?
I know... It's a weak analogy...   :)
/John
Scott Cadillac wrote:
Hi Steve,
If you recall, the point and the conclusion on that long discussion  
was
"security" - if a user
has session-cookies disabled, then so be it. Just display a message  
telling
them to turn it
back on before allowing them to proceed (provide instructions).
This is the most secure way to handle session management for any web
platform (SSL is a
different matter).
The issue is about security - why compromise security for user  
convenience.
Giving them
convenience now just delays more serious problems until a later date.
----
Yes, additional user variables may be assigned on the Server because  
of
missing session-
cookies. Unfortunately, it is one down-side to pay for better  
security for
your visitors.
-----
As for testing for cookies, writing a bit of code for this is not  
difficult
- but keep in mind
there is a different between "session" cookies and regular cookies,  
and
that most every modern
browser has settings for both kinds (and that some browsers use  
different
terminology to
describe these two kinds of cookies).
Hope this helps. Cheers....
Scott Cadillac,
XML-Extranet ~ 403-254-5002 ~ [EMAIL PROTECTED]
------------
Well-formed Programming in C# ASP.NET, Witango and XML
For Hire ~ http://xmlx.ca/forhire
------------
IExtranet ~ http://IExtranet.net
------------
Weblog ~ http://xmlx.ca
Forums ~ http://forums.xmlx.ca
Knowledge Base ~ http://kb.xmlx.ca
------------
P.O. Box 69006
RPO Bridlewood SW
Calgary, Alberta
Canada T2Y 4T9

-----Original Message-----
From: "Fogelson, Steve" <[EMAIL PROTECTED]>
To: "Witango User Group (E-mail)" <[EMAIL PROTECTED]>
Date: Tue, 12 Oct 2004 15:40:48 -0500
Subject: Witango-Talk: Cookies

I have built my shopping cart application without <@userreference>  
tag
at
the end of each url. It seemed after all the discussion about a year
ago
that this was the way to go. Especially with search engine spiders  
and
hijacked sessions.

I talked to one of our online customers today and discovered that he
was
being assigned a new session id every time he added an item to his
cart.
I'm trying to figure out a strategy for handling customers that have
disabled cookies, besides requiring them to sign in when entering the
site.
Is there a way to check to see if they have cookies disabled?
Any ideas on how to handle customers that have disabled cookies?
I am also concerned about all the user variables being created for  
this
type
of customer. Thanks in advance for your help.

Steve Fogelson
Internet Commerce Solutions
_____________________________________________________________________ 
__
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf



______________________________________________________________________ 
__
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf


_______________________________________________________________________ 
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
_______________________________________________________________________ 
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf

________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf