At 03:51 PM 9/20/00 -0700, you wrote:
>Yes, I would turn away customers without current browsers (current to me
>means going back to about IE 4.0 and Netscape 3.0) and those who refuse
>cookies. But that's just me. If a client wants an app to work with every
>browser, I explain the problems to them such as security, performance,
>etc. and we go from there. To this day not a single client of mine has
>opted to deal with people who don't accept cookies or people who have
>archaic browsers.
Well, the good news is that some old browsers like Netscape 3.0 no longer
have security certificates so not as many of these "archaic browsers" are
in existence. However, any person who can not buy because they don't have a
4.x browser or because they don't want to enable cookies is someone who
could have made money for the site. Not just that, but they will leave the
site unhappy and spread the word of that to their friends. I certainly hope
that you wouldn't write a search engine only for people who have cookies
enabled. You don't have to accommodate every browser but you should at
least try to accommodate common browser settings. Heck, the security patch
for IE 5 automatically turns off cookies if you install it to stop
malicious scripts.
>But as someone else on the list pointed out, I think I may have mistated
>that session variables require cookies. That person (forgot the name)
>said that session variables are stored in the server's RAM anyway, so it
>shouldn't matter if they have their cookies turned on or not.
Session variables are stored in the server's RAM, but the server has to
identify the client computer to get those to work, which requires cookies
or URLtoken or something similar.
>---mark
>
>--------------------------------------------------------------
>Mark Warrick
>Phone: (714) 547-5386
>Efax.com Fax: (801) 730-7289
>Personal Email: [EMAIL PROTECTED]
>Personal URL: http://www.warrick.net
>Business Email: [EMAIL PROTECTED]
>Business URL: http://www.fusioneers.com
>ICQ: 346566
>--------------------------------------------------------------
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 20, 2000 3:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Any Security Concerns Here? Passing Token in URL [CF-Talk]
> >
> >
> > > Just to reiterate - you should never pass variables that identify
> > > a certain user through forms or URLs. If you do, you leave your
> > > system open for other people to copy those params and screw with
> > > other's peoples records.
> > >
> > > Use session variables. You can store the session variables in
> > > the registry or in a database if you're worried about people not
> > > having cookies turned on, but I really wouldn't worry about the
> > > cookie-fearing types and the browsers that don't accept cookies.
> > > (God, do those browsers still exist?)
> >
> > Mark,
> >
> > So your sites require cookie acceptance for session management?
> > That's okay
> > for controlled environments (e.g. intranets), but do you really turn away
> > public ecommerce shoppers who disable cookies?
> >
> > I understand the problem with folks sharing links containing a session
> > token, but disabling url tokens altogether poses quite a hit to a site's
> > bottom line. (Remember, you'll only hear about maybe 1 out of 20 users who
> > experience a problem with your cart, or who take issue with your "you must
> > use cookies" warning and leave, never to return.)
> >
> > Cookie-phobia has been on the rise lately, thanks to the MSIE
> > cookie-reading
> > hack (over-)publicized a couple of months ago. I'd be curious to see
> > statistics on the percentage of cookie-disabled browsers out
> > there... anyone
> > got a link?
> >
> > Just my 2 cents,
> > Ron
> >
> >
> > ------------------------------------------------------------------
> > ------------
> > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
> > To Unsubscribe visit
> > http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf
>_talk or send a message to [EMAIL PROTECTED] with
>'unsubscribe' in the body.
>
>------------------------------------------------------------------------------
>Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
>To Unsubscribe visit
>http://www.houseoffusion.com/index.cfm?sidebarsts&bodysts/cf_talk or send
>a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
