Roland, You might want to devise a way of adding the userreference to the URL (links, etc) only when the session cookie is not available. This would limit the userreference exposure to only those that require it, and would reduce bookmarking/session hijacking from having it in the url all the time.
You could also pass your own unique user identifier in the url. Ignore it when the session cookie is there to do its job, but if it's missing, use your ID to access domain level vars or recreate the user var scope. Or to simply use in your tracking software. Personally I would probably just put up an error that we don't permit non-session cookie users to make use of the site. But that would depend on the kind of site and how many people that would aggravate. Isn't it also true that many robots/spiders don't use cookies? I know the better ones support them, but not all I don't think. So you might be seeing these in your logs. Just some thoughts. Robert -----Original Message----- From: Scott Cadillac [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 2:06 PM To: [email protected] Subject: RE: Witango-Talk: Detecting the cookie-averse Hi Roland, > 1. I'm glad we're on the same page (pun intended) :-) > 2. It is possible to devise some trick of jumping between specific pages for a test. Following is one simple example. Where a page sets a cookie with a specific value, and then that page jumps the user (JavaScript?) to another page where the cookie value is also copied via a search argument. Then, on the second page you then test if the search argument and cookie values match - if not (because the cookie is empty), then you know that person has cookies disabled. The problem with the above is getting the user to jump to a second page in some manner that is not annoying, and doesn't run into browser security features like in Windows XP SP2. But then, even after testing them in this manner, how do you then track the user and notify your system that this person has cookies disabled - when cookies are disabled :-) Maybe what you should do is set a cookie on all your pages (except the critical ones) that says "roland=niceguy", and for your critical applications - just don't allow the app to run if the "roland" cookie is missing. It may seem redundant, but your custom cookie will not be present as long as it's not assigned on the critical pages. Trying to get the Witango_UserReference cookie to behave this way will break your other "real" sessions. Hope that helps. > -----Original Message----- > From: Roland Dumas [mailto:[EMAIL PROTECTED] > Sent: Friday, March 18, 2005 11:39 AM > To: [email protected] > Subject: Re: Witango-Talk: Detecting the cookie-averse > > 1. preaching to choir. Cookies work. Other means of creating > the illusion of > state have issues. If someone turns cookies off, then they > are entitled to > not get the benefit of web applications & just surf pages. > > 2. not trying to track the person, just to have a way of > knowing that his > cookies are completely off. Both to protect some utilities > from overload and > maybe to post a notice "Yo Fool! Turn yo cookies on and you > can shop here!" > > > > On 3/18/05 10:13 AM, "Scott Cadillac" <[EMAIL PROTECTED]> wrote: > > > Hi Roland, > > > > You just found the reasons we have Cookies for browsers in > the first place. > > > > Cookies is the most reliable way to uniquely identify a > given visitor as > > they use a website. > > > > If a visitor has all their cookie capabilities disabled (i.e., > > session-cookies), there is no way to tell the difference > between these > > folks, and a brand new visitor to a website who has just > requested the very > > first webpage. > > > > Attempting to identify someone by their IP address and/or > UserAgent string > > is not reliable enough (much debated before). > > > > The next best way to identify a visitor is by appending > > <@USERREFERENCEARGUMENT> to all your links and post > actions. And again, in > > my opinion, this is not as reliable as real cookies and can > introduce > > security issues (much debated before). > > > > Roland, if you could find a solution to the above - you > could make a million > > dollars. > > > > Scott Cadillac > > --------- > > Business Extranet Freedom > > IExtranet ~ http://IExtranet.com > > Online Demo ~ http://www.northwind.org/#demo > > --------- > > Weblog ~ http://xmlx.ca > > For Hire ~ http://xmlx.ca/forhire > > --------- > > 403-254-5002 ~ [EMAIL PROTECTED] > > --------- > > P.O. Box 69006 > > RPO Bridlewood SW > > Calgary, Alberta > > Canada T2Y 4T9 > > > > > >> -----Original Message----- > >> From: Roland Dumas [mailto:[EMAIL PROTECTED] > >> Sent: Friday, March 18, 2005 10:21 AM > >> To: [email protected] > >> Subject: Witango-Talk: Detecting the cookie-averse > >> > >> I notice that for occasional visitors, they get a new > >> _userreference on each > >> hit. I also assign my own session cookie, which for these > >> people is also new > >> on each hit. > >> > >> So I see a series of hits to an application from the same IP > >> address in a > >> logical order, each hit with new cookies. > >> > >> In addition to basic functions not working, these make a mess > >> of various > >> logs and utilities. (my session log shows all these neat > >> sessions, and then > >> a flood of one hit sessions.) > >> > >> I want to isolate or identify the cookie-averse visitors to > >> both warn them > >> and also to have some functionality turned off. > >> > >> Is there a logic that can be used to detect these > >> cookie-avoiders? I'd > >> thought that if they didn't accept a cookie, then if you > >> assigned one at the > >> top of a taf, it wouldn't be available later on. > >> > >> > >> > >> ______________________________________________________________ > >> __________ > >> TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > >> > > > > > > > ______________________________________________________________ > __________ > > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > > > > > ----------------------------------------- > Roland Dumas > Roberts Information Services > 310 W. Bellevue Avenue > San Mateo CA 94402 > 650-347-1373 > 415-412-9300 (cell) > [EMAIL PROTECTED] > SMS: http://new.servqual.com/html/sms.tml > > > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
