On Thu, May 13, 2004 at 02:10:29AM +0900, Dmitry V. Sabanin wrote:
> On Wednesday 12 May 2004 19:24, Thomas Fini Hansen wrote:
> > You can't trust HTTP_REFERER either, some 'security software' diables
> > them, in Opera it's just F12->Enable referrer logging, and then there
> > seems to be the odd people that got a static referrer... How that
> > messes with the above is left as an exercise for the reader. ;)
> Well, I don't think it's _that_ important. 
> IMO, there are security flows in both Cookie and URL SID
> transmission approaches.

I wasn't thinking about security, just how it will fail. If someone
has both their cookies and referrer disabled by some fancypants
'privacy software', the first method will just fail and think they are
new on each hit.

But it all depends on the cotext. If it's something you log into, it's
just a simple matter of having the login form presenting page set the
cookie, and the page that get posted to check for it. Tracking people
with different entry and exit pages requires another solution.

Or you might consider whether it's actually worth the bother, and just
tell people that they'll miss out on features if they don't have
cookies enabled. 

> > I'd go with the belt and braces approach. On the first hit, set the
> > cookie *and* use URL session. On the next hits, drop the URL encoding
> > if you get the cookie.
> Nice way too, but I have yet to think if it will play nicely with
> search engines..

Oh yeah, there is that.. But if they use referrers, they'll get the
URL SID with the other approach too. I'm not that up on how search
engines work these days. You could filter those out by User-Agent, as
all good crawlers use them.

-- 
Thomas
beast / system-tnt.dk