Re: Apache::Session / No-Cookie-Tracking
Is it a secure website? If so, it could be using the SSL unique ID which, if I'm not mistaken, is persistant through the SSL session (so the server doesn't have to redo the handshake on each connect). Issac - Original Message - From: "Jonathan Hilgeman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 25, 2001 6:29 PM Subject: FW: Apache::Session / No-Cookie-Tracking > Sure - I believe in magic, depending on your definition of it. I KNOW > there's a 4th method, because I've seen it work. There is an e-commerce web > site which uses an outside cart programmed in CGI (Perl?). The original web > site passes no identifying marks such as the session ID through the URL or > through the form's submit button to add an item to the cart. I know, because > I designed and created the web site. > > However, when the visitors hit the submit button, they are taken to another > program/website containing their shopping basket filled with their items. I > have figured out that it relies somewhat on the IP address, but not > completely, because I have tested it behind the firewall and the other > computer behind the firewall with me does not share the same basket. > > Once I am at that screen (viewing the contents of my cart on the program), > there are other links which contain a session ID of sorts carried via the > URL. The thing that is driving my head crazy is how they identify the user > in the first place to create the links with the session ID. > > I accidentally caught them during testing or something and got a variable on > the URL line. (I substituted the domain name - it's not really cart.com) > http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848 > E > > cartidnum seems to be: > $IP-Address + "T" + Unix-TimeStamp + "R" + Unknown number + "E" > > By the way, the session only seems to active until the browser completely > shuts down. Any ideas? If I could identify my users on another site without > using cookies at all, that would be fantastic! > > Jonathan > > -----Original Message----- > From: Ilya Martynov [mailto:[EMAIL PROTECTED]] > Sent: Friday, May 25, 2001 9:02 AM > To: Jonathan Hilgeman > Cc: '[EMAIL PROTECTED]' > Subject: Re: Apache::Session / No-Cookie-Tracking > > > > JH> I want to be able to track visitors without the use of cookies. > JH> I don't want to rely on IP address, because people behind proxies and > JH> firewalls seem to have the same IP address. > JH> I don't want to rely on a session ID variable being always present in > the > JH> URL, in case the window gets closed or changed. > JH> Now, two questions: > > JH> 1) Will Apache::Session provide an environment variable like > JH> HTTP_USER_AGENT that will contain an identifier that will always > JH> be consistent for that specific user, despite proxies and > JH> firewalls, and despite the changing/closing of windows? > > JH> 2) If not, does anyone know of a good way to do this? > > Do you believe in magic? :) > > The only way to track visitors is either: > > 1) use cookies > > 2) use session ID variable in URI and/or hidden field with session ID >in forms > > 3) use IPs (which is bad because it is completely broken approach) > > 4) use HTTP authorization (which is not always convenient because >requires user registration) > > Apache::Session can only create persistent storage of session > data. Each session data identified by some session ID. This ID should > be taken from somewhere (see above). > > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > | Ilya Martynov (http://martynov.org/) | > | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | > | AGAVA Software Company (http://www.agava.com/) | > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >
RE: Apache::Session / No-Cookie-Tracking
One easy way to find out if the original site uses cookies is by using lynx with the "mime_header" argument: lynx -mime_header http://e-commerce-site-in-question/foo/bar | less This will print out the HTTP headers before the content, like show below: HTTP/1.1 200 OK Date: Fri, 25 May 2001 18:04:32 GMT Server: Apache/1.3.12 (Unix) Expires: Thu, 24 May 2001 18:04:33 GMT Pragma: no-cache Set-Cookie: FOO=BAR; domain=e-commerce-site-in-question; path=/cgi-bin Connection: close Content-Type: text/html ---snip--- If that "Set-Cookie" header is there, the script uses cookies. The -mime_header argument may vary by version of lynx (i think). Check the man page if the syntax above doesn't work. Alternatively, you can telnet to port 80 of the website and do a "GET /path/to/script". Just make sure you have lots of scrollback if the page has lots of content. =P P.S. I'm pretty sure Explorer 5.x does NOT store session cookies on disk, but other browsers may. --Alex > -Original Message- > From: Joe Breeden > Sent: Friday, May 25, 2001 12:55 PM > To: '[EMAIL PROTECTED]' > Subject: RE: Apache::Session / No-Cookie-Tracking > > > Seems like the site in question is using either a hidden form > element or a > session cookie. I'm guessing that with the session being only > valid as long > as the browser window is open a session cookie is being used. > The reason you > don't see this in the Cookie directory for you particular > browser is that > these cookies are stored in the memory - they are not to be > save after the > browser session is over. I hope that helps. > > Joe Breeden > > -- > Sent from my Outlook 2000 Wired Deskheld (www.microsoft.com) > > > -Original Message- > From: Jonathan Hilgeman [mailto:[EMAIL PROTECTED]] > Sent: Friday, May 25, 2001 11:29 AM > To: '[EMAIL PROTECTED]' > Subject: FW: Apache::Session / No-Cookie-Tracking > > > Sure - I believe in magic, depending on your definition of it. I KNOW > there's a 4th method, because I've seen it work. There is an > e-commerce web > site which uses an outside cart programmed in CGI (Perl?). > The original web > site passes no identifying marks such as the session ID > through the URL or > through the form's submit button to add an item to the cart. > I know, because > I designed and created the web site. > > However, when the visitors hit the submit button, they are > taken to another > program/website containing their shopping basket filled with > their items. I > have figured out that it relies somewhat on the IP address, but not > completely, because I have tested it behind the firewall and the other > computer behind the firewall with me does not share the same basket. > > Once I am at that screen (viewing the contents of my cart on > the program), > there are other links which contain a session ID of sorts > carried via the > URL. The thing that is driving my head crazy is how they > identify the user > in the first place to create the links with the session ID. > > I accidentally caught them during testing or something and > got a variable on > the URL line. (I substituted the domain name - it's not > really cart.com) > http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T > 990806951R5848 > E > > cartidnum seems to be: > $IP-Address + "T" + Unix-TimeStamp + "R" + Unknown number + "E" > > By the way, the session only seems to active until the > browser completely > shuts down. Any ideas? If I could identify my users on > another site without > using cookies at all, that would be fantastic! > > Jonathan > > -Original Message- > From: Ilya Martynov [mailto:[EMAIL PROTECTED]] > Sent: Friday, May 25, 2001 9:02 AM > To: Jonathan Hilgeman > Cc: '[EMAIL PROTECTED]' > Subject: Re: Apache::Session / No-Cookie-Tracking > > > > JH> I want to be able to track visitors without the use of cookies. > JH> I don't want to rely on IP address, because people behind > proxies and > JH> firewalls seem to have the same IP address. > JH> I don't want to rely on a session ID variable being > always present in > the > JH> URL, in case the window gets closed or changed. > JH> Now, two questions: > > JH> 1) Will Apache::Session provide an environment variable like > JH> HTTP_USER_AGENT that will contain an identifier that will always > JH> be consistent for that specific user, despite proxies and > JH> firewalls, and despite the changing/closing of windows? > > JH> 2) If not, does anyone know o
RE: Apache::Session / No-Cookie-Tracking
You may also want to store a hidden field in every form with a sesionid that is generated by you. Depending on how unique the number needs to be, we use either the number generated by mod_unique_id - potentially less reliable - (a part of the standard apache dist) or generate one with MD5 - generally more reliable. Joe -Original Message- From: Jonathan Hilgeman [mailto:[EMAIL PROTECTED]] Sent: Friday, May 25, 2001 11:51 AM To: 'Ilya Martynov' Cc: '[EMAIL PROTECTED]' Subject: RE: Apache::Session / No-Cookie-Tracking The feeling of magic only lasts until you know how it's done, and I have seen the light. What happens is that they use a per-session cookie, so it doesn't appear in my temp folder. But, if per-session cookies are disabled, then it relies on the IP address. I guess that is better than just one method, but I think I may use the same method, but base the no-cookie method on both IP address AND HTTP_USER_AGENT to try to make things more unique. Jonathan -Original Message- From: Ilya Martynov [mailto:[EMAIL PROTECTED]] Sent: Friday, May 25, 2001 9:35 AM To: Jonathan Hilgeman Subject: Re: Apache::Session / No-Cookie-Tracking JH> Sure - I believe in magic, depending on your definition of it. I KNOW JH> there's a 4th method, because I've seen it work. There is an e-commerce web JH> site which uses an outside cart programmed in CGI (Perl?). The original web JH> site passes no identifying marks such as the session ID through the URL or JH> through the form's submit button to add an item to the cart. I know, because JH> I designed and created the web site. JH> [..skip..] Interesting. If you will say me url of your web site where you are using this outside cart probably I'll find how they do tracking. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/)| | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
RE: Apache::Session / No-Cookie-Tracking
Seems like the site in question is using either a hidden form element or a session cookie. I'm guessing that with the session being only valid as long as the browser window is open a session cookie is being used. The reason you don't see this in the Cookie directory for you particular browser is that these cookies are stored in the memory - they are not to be save after the browser session is over. I hope that helps. Joe Breeden -- Sent from my Outlook 2000 Wired Deskheld (www.microsoft.com) -Original Message- From: Jonathan Hilgeman [mailto:[EMAIL PROTECTED]] Sent: Friday, May 25, 2001 11:29 AM To: '[EMAIL PROTECTED]' Subject: FW: Apache::Session / No-Cookie-Tracking Sure - I believe in magic, depending on your definition of it. I KNOW there's a 4th method, because I've seen it work. There is an e-commerce web site which uses an outside cart programmed in CGI (Perl?). The original web site passes no identifying marks such as the session ID through the URL or through the form's submit button to add an item to the cart. I know, because I designed and created the web site. However, when the visitors hit the submit button, they are taken to another program/website containing their shopping basket filled with their items. I have figured out that it relies somewhat on the IP address, but not completely, because I have tested it behind the firewall and the other computer behind the firewall with me does not share the same basket. Once I am at that screen (viewing the contents of my cart on the program), there are other links which contain a session ID of sorts carried via the URL. The thing that is driving my head crazy is how they identify the user in the first place to create the links with the session ID. I accidentally caught them during testing or something and got a variable on the URL line. (I substituted the domain name - it's not really cart.com) http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848 E cartidnum seems to be: $IP-Address + "T" + Unix-TimeStamp + "R" + Unknown number + "E" By the way, the session only seems to active until the browser completely shuts down. Any ideas? If I could identify my users on another site without using cookies at all, that would be fantastic! Jonathan -Original Message- From: Ilya Martynov [mailto:[EMAIL PROTECTED]] Sent: Friday, May 25, 2001 9:02 AM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: Apache::Session / No-Cookie-Tracking JH> I want to be able to track visitors without the use of cookies. JH> I don't want to rely on IP address, because people behind proxies and JH> firewalls seem to have the same IP address. JH> I don't want to rely on a session ID variable being always present in the JH> URL, in case the window gets closed or changed. JH> Now, two questions: JH> 1) Will Apache::Session provide an environment variable like JH> HTTP_USER_AGENT that will contain an identifier that will always JH> be consistent for that specific user, despite proxies and JH> firewalls, and despite the changing/closing of windows? JH> 2) If not, does anyone know of a good way to do this? Do you believe in magic? :) The only way to track visitors is either: 1) use cookies 2) use session ID variable in URI and/or hidden field with session ID in forms 3) use IPs (which is bad because it is completely broken approach) 4) use HTTP authorization (which is not always convenient because requires user registration) Apache::Session can only create persistent storage of session data. Each session data identified by some session ID. This ID should be taken from somewhere (see above). -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/)| | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
RE: Apache::Session / No-Cookie-Tracking
use Apache::MindReader; my $future = Apache::MindReader->new( no_mistakes => 1 ); $future->read_mind( no_info_whatsoever => 1 ); my $reliable_unknown_id = $future->track_user(); die "Could not figure out user without knowing one single piece of information about them. Weird\n" unless ( $reliable_unknown_id ); (Of course your mileage may vary) (For entertainment purposes only) Wink. Wink. Nudge. Nudge. Joe Breeden -Original Message- From: Ilya Martynov [mailto:[EMAIL PROTECTED]] Sent: Friday, May 25, 2001 11:02 AM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: Apache::Session / No-Cookie-Tracking JH> I want to be able to track visitors without the use of cookies. JH> I don't want to rely on IP address, because people behind proxies and JH> firewalls seem to have the same IP address. JH> I don't want to rely on a session ID variable being always present in the JH> URL, in case the window gets closed or changed. JH> Now, two questions: JH> 1) Will Apache::Session provide an environment variable like JH> HTTP_USER_AGENT that will contain an identifier that will always JH> be consistent for that specific user, despite proxies and JH> firewalls, and despite the changing/closing of windows? JH> 2) If not, does anyone know of a good way to do this? Do you believe in magic? :) The only way to track visitors is either: 1) use cookies 2) use session ID variable in URI and/or hidden field with session ID in forms 3) use IPs (which is bad because it is completely broken approach) 4) use HTTP authorization (which is not always convenient because requires user registration) Apache::Session can only create persistent storage of session data. Each session data identified by some session ID. This ID should be taken from somewhere (see above). -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/)| | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
RE: Apache::Session / No-Cookie-Tracking
The feeling of magic only lasts until you know how it's done, and I have seen the light. What happens is that they use a per-session cookie, so it doesn't appear in my temp folder. But, if per-session cookies are disabled, then it relies on the IP address. I guess that is better than just one method, but I think I may use the same method, but base the no-cookie method on both IP address AND HTTP_USER_AGENT to try to make things more unique. Jonathan -Original Message- From: Ilya Martynov [mailto:[EMAIL PROTECTED]] Sent: Friday, May 25, 2001 9:35 AM To: Jonathan Hilgeman Subject: Re: Apache::Session / No-Cookie-Tracking JH> Sure - I believe in magic, depending on your definition of it. I KNOW JH> there's a 4th method, because I've seen it work. There is an e-commerce web JH> site which uses an outside cart programmed in CGI (Perl?). The original web JH> site passes no identifying marks such as the session ID through the URL or JH> through the form's submit button to add an item to the cart. I know, because JH> I designed and created the web site. JH> [..skip..] Interesting. If you will say me url of your web site where you are using this outside cart probably I'll find how they do tracking. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/)| | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Re: FW: Apache::Session / No-Cookie-Tracking
Jonathan Hilgeman <[EMAIL PROTECTED]> wrote: [snip] >I accidentally caught them during testing or something and got a variable on >the URL line. (I substituted the domain name - it's not really cart.com) >http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848 >E > >cartidnum seems to be: >$IP-Address + "T" + Unix-TimeStamp + "R" + Unknown number + "E" > >By the way, the session only seems to active until the browser completely >shuts down. Any ideas? If I could identify my users on another site without >using cookies at all, that would be fantastic! Be careful with using too much magic. I recently tested/evaluated a product to provide a web interface for email. It appears that it uses a combination IP address and URL to track authenticated users. For example, if I authenticated as foo from 192.168.0.4, then as long as I was coming from 192.168.0.4, I could read foo's email, even if I was someone else logged into the machine. The proper URL would be of the form http://192.168.0.10/foo (if 192.168.0.10 were the server). While it is nice to assume one person per IP address, there are many cases when this is not true. In the product I evaluated, guessing the proper URL to read someone else's email was trivial. Going through an SSL proxy didn't mask the behavior, just required the use of openssl's client. In the example you give, the timestamp and unknown number may make it more difficult to guess the proper information. This is a good thing. Without some information passing between the client and server that is only known to them, it is too easy to spoof the client and access a session unauthorized. There is also no way to distinguish two clients on the same machine, especially if they are the same application. -- James Smith <[EMAIL PROTECTED]>, 979-862-3725 Texas A&M CIS Operating Systems Group, Unix
Re: Apache::Session / No-Cookie-Tracking
> Sure - I believe in magic, depending on your definition of it. I KNOW > there's a 4th method, because I've seen it work. There is an e-commerce web > site which uses an outside cart programmed in CGI (Perl?). The original web > site passes no identifying marks such as the session ID through the URL or > through the form's submit button to add an item to the cart. I know, because > I designed and created the web site. > > However, when the visitors hit the submit button, they are taken to another > program/website containing their shopping basket filled with their items. I > have figured out that it relies somewhat on the IP address, but not > completely, because I have tested it behind the firewall and the other > computer behind the firewall with me does not share the same basket. > > Once I am at that screen (viewing the contents of my cart on the program), > there are other links which contain a session ID of sorts carried via the > URL. The thing that is driving my head crazy is how they identify the user > in the first place to create the links with the session ID. > > I accidentally caught them during testing or something and got a variable on > the URL line. (I substituted the domain name - it's not really cart.com) > http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848 > E > > cartidnum seems to be: > $IP-Address + "T" + Unix-TimeStamp + "R" + Unknown number + "E" > > By the way, the session only seems to active until the browser completely > shuts down. Any ideas? Sure sounds like a cookie to me. What makes you think it isn't one? Or else they just don't care who you are until you hit the shopping cart, and then they keep your identity with URLs and hidden form fields. - Perrin
FW: Apache::Session / No-Cookie-Tracking
Sure - I believe in magic, depending on your definition of it. I KNOW there's a 4th method, because I've seen it work. There is an e-commerce web site which uses an outside cart programmed in CGI (Perl?). The original web site passes no identifying marks such as the session ID through the URL or through the form's submit button to add an item to the cart. I know, because I designed and created the web site. However, when the visitors hit the submit button, they are taken to another program/website containing their shopping basket filled with their items. I have figured out that it relies somewhat on the IP address, but not completely, because I have tested it behind the firewall and the other computer behind the firewall with me does not share the same basket. Once I am at that screen (viewing the contents of my cart on the program), there are other links which contain a session ID of sorts carried via the URL. The thing that is driving my head crazy is how they identify the user in the first place to create the links with the session ID. I accidentally caught them during testing or something and got a variable on the URL line. (I substituted the domain name - it's not really cart.com) http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848 E cartidnum seems to be: $IP-Address + "T" + Unix-TimeStamp + "R" + Unknown number + "E" By the way, the session only seems to active until the browser completely shuts down. Any ideas? If I could identify my users on another site without using cookies at all, that would be fantastic! Jonathan -Original Message- From: Ilya Martynov [mailto:[EMAIL PROTECTED]] Sent: Friday, May 25, 2001 9:02 AM To: Jonathan Hilgeman Cc: '[EMAIL PROTECTED]' Subject: Re: Apache::Session / No-Cookie-Tracking JH> I want to be able to track visitors without the use of cookies. JH> I don't want to rely on IP address, because people behind proxies and JH> firewalls seem to have the same IP address. JH> I don't want to rely on a session ID variable being always present in the JH> URL, in case the window gets closed or changed. JH> Now, two questions: JH> 1) Will Apache::Session provide an environment variable like JH> HTTP_USER_AGENT that will contain an identifier that will always JH> be consistent for that specific user, despite proxies and JH> firewalls, and despite the changing/closing of windows? JH> 2) If not, does anyone know of a good way to do this? Do you believe in magic? :) The only way to track visitors is either: 1) use cookies 2) use session ID variable in URI and/or hidden field with session ID in forms 3) use IPs (which is bad because it is completely broken approach) 4) use HTTP authorization (which is not always convenient because requires user registration) Apache::Session can only create persistent storage of session data. Each session data identified by some session ID. This ID should be taken from somewhere (see above). -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/)| | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Re: Apache::Session / No-Cookie-Tracking
JH> I want to be able to track visitors without the use of cookies. JH> I don't want to rely on IP address, because people behind proxies and JH> firewalls seem to have the same IP address. JH> I don't want to rely on a session ID variable being always present in the JH> URL, in case the window gets closed or changed. JH> Now, two questions: JH> 1) Will Apache::Session provide an environment variable like JH> HTTP_USER_AGENT that will contain an identifier that will always JH> be consistent for that specific user, despite proxies and JH> firewalls, and despite the changing/closing of windows? JH> 2) If not, does anyone know of a good way to do this? Do you believe in magic? :) The only way to track visitors is either: 1) use cookies 2) use session ID variable in URI and/or hidden field with session ID in forms 3) use IPs (which is bad because it is completely broken approach) 4) use HTTP authorization (which is not always convenient because requires user registration) Apache::Session can only create persistent storage of session data. Each session data identified by some session ID. This ID should be taken from somewhere (see above). -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/)| | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Apache::Session / No-Cookie-Tracking
I want to be able to track visitors without the use of cookies. I don't want to rely on IP address, because people behind proxies and firewalls seem to have the same IP address. I don't want to rely on a session ID variable being always present in the URL, in case the window gets closed or changed. Now, two questions: 1) Will Apache::Session provide an environment variable like HTTP_USER_AGENT that will contain an identifier that will always be consistent for that specific user, despite proxies and firewalls, and despite the changing/closing of windows? 2) If not, does anyone know of a good way to do this? Jonathan
