Seems like the site in question is using either a hidden form element or a
session cookie. I'm guessing that with the session being only valid as long
as the browser window is open a session cookie is being used. The reason you
don't see this in the Cookie directory for you particular browser is that
these cookies are stored in the memory - they are not to be save after the
browser session is over. I hope that helps.
Joe Breeden
--------------------------
Sent from my Outlook 2000 Wired Deskheld (www.microsoft.com)
-----Original Message-----
From: Jonathan Hilgeman [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 11:29 AM
To: '[EMAIL PROTECTED]'
Subject: FW: Apache::Session / No-Cookie-Tracking
Sure - I believe in magic, depending on your definition of it. I KNOW
there's a 4th method, because I've seen it work. There is an e-commerce web
site which uses an outside cart programmed in CGI (Perl?). The original web
site passes no identifying marks such as the session ID through the URL or
through the form's submit button to add an item to the cart. I know, because
I designed and created the web site.
However, when the visitors hit the submit button, they are taken to another
program/website containing their shopping basket filled with their items. I
have figured out that it relies somewhat on the IP address, but not
completely, because I have tested it behind the firewall and the other
computer behind the firewall with me does not share the same basket.
Once I am at that screen (viewing the contents of my cart on the program),
there are other links which contain a session ID of sorts carried via the
URL. The thing that is driving my head crazy is how they identify the user
in the first place to create the links with the session ID.
I accidentally caught them during testing or something and got a variable on
the URL line. (I substituted the domain name - it's not really cart.com)
http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848
E
cartidnum seems to be:
$IP-Address + "T" + Unix-TimeStamp + "R" + Unknown number + "E"
By the way, the session only seems to active until the browser completely
shuts down. Any ideas? If I could identify my users on another site without
using cookies at all, that would be fantastic!
Jonathan
-----Original Message-----
From: Ilya Martynov [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 9:02 AM
To: Jonathan Hilgeman
Cc: '[EMAIL PROTECTED]'
Subject: Re: Apache::Session / No-Cookie-Tracking
JH> I want to be able to track visitors without the use of cookies.
JH> I don't want to rely on IP address, because people behind proxies and
JH> firewalls seem to have the same IP address.
JH> I don't want to rely on a session ID variable being always present in
the
JH> URL, in case the window gets closed or changed.
JH> Now, two questions:
JH> 1) Will Apache::Session provide an environment variable like
JH> HTTP_USER_AGENT that will contain an identifier that will always
JH> be consistent for that specific user, despite proxies and
JH> firewalls, and despite the changing/closing of windows?
JH> 2) If not, does anyone know of a good way to do this?
Do you believe in magic? :)
The only way to track visitors is either:
1) use cookies
2) use session ID variable in URI and/or hidden field with session ID
in forms
3) use IPs (which is bad because it is completely broken approach)
4) use HTTP authorization (which is not always convenient because
requires user registration)
Apache::Session can only create persistent storage of session
data. Each session data identified by some session ID. This ID should
be taken from somewhere (see above).
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Ilya Martynov (http://martynov.org/) |
| GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 |
| AGAVA Software Company (http://www.agava.com/) |
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
