Yes, I would turn away customers without current browsers (current to me means going
back to about IE 4.0 and Netscape 3.0) and those who refuse cookies. But that's just
me. If a client wants an app to work with every browser, I explain the problems to
them such as security, performance, etc. and we go from there. To this day not a
single client of mine has opted to deal with people who don't accept cookies or people
who have archaic browsers.
But as someone else on the list pointed out, I think I may have mistated that session
variables require cookies. That person (forgot the name) said that session variables
are stored in the server's RAM anyway, so it shouldn't matter if they have their
cookies turned on or not.
---mark
--------------------------------------------------------------
Mark Warrick
Phone: (714) 547-5386
Efax.com Fax: (801) 730-7289
Personal Email: [EMAIL PROTECTED]
Personal URL: http://www.warrick.net
Business Email: [EMAIL PROTECTED]
Business URL: http://www.fusioneers.com
ICQ: 346566
--------------------------------------------------------------
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 20, 2000 3:43 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
>
>
> > Just to reiterate - you should never pass variables that identify
> > a certain user through forms or URLs. If you do, you leave your
> > system open for other people to copy those params and screw with
> > other's peoples records.
> >
> > Use session variables. You can store the session variables in
> > the registry or in a database if you're worried about people not
> > having cookies turned on, but I really wouldn't worry about the
> > cookie-fearing types and the browsers that don't accept cookies.
> > (God, do those browsers still exist?)
>
> Mark,
>
> So your sites require cookie acceptance for session management?
> That's okay
> for controlled environments (e.g. intranets), but do you really turn away
> public ecommerce shoppers who disable cookies?
>
> I understand the problem with folks sharing links containing a session
> token, but disabling url tokens altogether poses quite a hit to a site's
> bottom line. (Remember, you'll only hear about maybe 1 out of 20 users who
> experience a problem with your cart, or who take issue with your "you must
> use cookies" warning and leave, never to return.)
>
> Cookie-phobia has been on the rise lately, thanks to the MSIE
> cookie-reading
> hack (over-)publicized a couple of months ago. I'd be curious to see
> statistics on the percentage of cookie-disabled browsers out
> there... anyone
> got a link?
>
> Just my 2 cents,
> Ron
>
>
> ------------------------------------------------------------------
> ------------
> Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf
_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the
body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebarRsts&bodyRsts/cf_talk or send a message
to [EMAIL PROTECTED] with 'unsubscribe' in the body.
