Las mejores prácticas para el establecimiento de “desactivar todas las cookies” y se registran en los usuarios / carros

Question

¿Cómo se maneja manteniendo un usuario conectado o actualización de un carro cuando no se puede utilizar sesiones? añadir el ID de usuario o cartId a los campos de entrada ocultos siente como un fallo de seguridad

Answer 1

Adding a session-like ID to every form (and every plain link outside forms too, if you want to be able to keep state over browsing) is indeed the way it was traditionally done when you can't use cookies.

It's such an pain to implement parameter-sessions (with ugly /page.php?session=459gj0tv789yn-style links), it breaks cacheing and users can't copy-and-paste links in case they accidentally share sessions. For these reasons, most sites don't bother with this any more, and simply require cookies.

Another thing you can do is use HTTP Basic Authentication to allow the user to sign into an account, and store all session information on the account. This is a bit less convenient for a shopping cart as you have to require the user to sign in before they put anything in a cart, but in the general case it's a good alternative to cookies.

Answer 2

Well, either you have to store the session ID in a cookie or in a query string parameter.

You're right that using a parameter is a security flaw. All someone has to do is share their URL and they've given away their website identity.

Some frameworks, like Rails, don't let you use sessions if cookies aren't available, and personally I think this is an acceptable stance to take if you're serious about security.