session management methods reviewed

The following material is intended to introduce the reader to the various techniques that developers have used to implement session tracking on the web. The main operational characteristics of each method are mentioned in addition to the shortcomings that have been observed in usage. Additional information on session management can be found by searching the internet.

Initial implementations of session identification relied on cookie data. In this method cookie values unique to each client is assigned by the server and that cookie data is returned by the client with every request without regard to they type of request. While very reliable, the main shortcoming is the number of users who have disabled cookies in their browser configuration.

An alternative to cookies is the addition of a unique variable as a parameter to all links generated for a page. This allows retrieval of the parameter from requests as the user navigates to different pages of the site. The main limitation of this method is the requirement that all pages be dynamically generated by scripts to include unique variables for each session. Additional limitations are that bookmarked pages will carry invalid session variables, backing up from the session initiating page will orphan a session, and search engines have difficulty with multiple copies of identical pages with varying parameters.

In this method, hidden form variables take the place of request parameter variables as the means of identifying unique sessions. The values of the hidden form variables are returned by the client as part of the form request when the submit button is clicked by the user. It also has all the shortcomings of the preceding method. In addition the target of the form submit link cannot be bookmarked and search engines will not follow links that are part of a form.

In this method, each new session is redirected to a unique host name. It requires a wildcard dns entry in the configuration of the dns servers servicing the domain. This creates additional load on the dns servers because the unique host names will be rarely cached by downstream dns servers servicing client networks. As in the preceding two methods, maintaining the session identifiers and avoiding orphaned sessions requires that all pages are created dynamically for each session.

mmm mmm ....
.... good!
iis session management
asp session management
cookieless sessions

copyright © 2003
all rights reserved

design -
hosted by
microsoft platform specialists