Session Science

Fighting to Keep the Cart

Contrary to common belief the www is not an ecommerce platform. It is a platform for documentation. Since businesses are lacking the ability to create standards they jumped on the one that looked fitting to them.

As a result we have to implement a way to keep state on a stateless protocol. This turns out to be surprisingly hard. "Why should this be hard?" you may ask. "I simply set an ID cookie and thats it."


The first problem is that there are people out there that do not accept cookies. I also have seen a few cases (AOL Browser + AOL Proxy Farm) where cookies seemed to get lost, but I was not able to find out what really happened. So you might want to have a fallback session mechanism.

The second problem is that cookies are sent back to the server that has set them. This is determined by the host name. So if you have several alias names, you might for example loose your cookie if you are switching to SSl.

Another little piece of experience is, that on IE 5 on NT an attempt to set a cookie from an inline element calls Dr. Watson. I am not shure what is the exact system configuration to reproduce this. But all the adservers seem to know - just take a look at what they are doing.

URL Session

If you can not use Cookies you can put the session ID in the URL so that it gets passsed to your skripts with every request. You can put it there as a query parameter, but this means you have to pass it by hand with every request. If you forget it, you loose.

You can put it in the URL path and install a rewriting rule that simply removes it. This way you are somewhat better off. As long as you only use relative links, your session is kept automatically. You can even jump across static pages without loosing it.

The downside is that two people using the same URL share the same session. This can happen by email, chat, ICQ or simply because a search engine has a session URL.

Session Log

To be aware of problems it is advisable to have log where you can see for every session its creation date, its last update, its ip, its user agent and whatever you might consider useful.