Best practices for “disable all cookies” setting and logged in users / carts

Question

How do you handle keeping a user logged in or updating a cart when you can't use sessions? adding the userId or cartId to hidden input fields feels like a security flaw

Answer 1

Adding a session-like ID to every form (and every plain link outside forms too, if you want to be able to keep state over browsing) is indeed the way it was traditionally done when you can't use cookies.

It's such an pain to implement parameter-sessions (with ugly /page.php?session=459gj0tv789yn-style links), it breaks cacheing and users can't copy-and-paste links in case they accidentally share sessions. For these reasons, most sites don't bother with this any more, and simply require cookies.

Another thing you can do is use HTTP Basic Authentication to allow the user to sign into an account, and store all session information on the account. This is a bit less convenient for a shopping cart as you have to require the user to sign in before they put anything in a cart, but in the general case it's a good alternative to cookies.

Answer 2

Well, either you have to store the session ID in a cookie or in a query string parameter.

You're right that using a parameter is a security flaw. All someone has to do is share their URL and they've given away their website identity.

Some frameworks, like Rails, don't let you use sessions if cookies aren't available, and personally I think this is an acceptable stance to take if you're serious about security.