• Post Reply Bookmark Topic Watch Topic
  • New Topic

Cookies vs. Sessions .....Need an educated choice

 
DC Dalton
Ranch Hand
Posts: 287
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I've been closely watching the posts here about cookies & seesion tracking in servlets. Now Im at the point on the site Im working on where I need to make an educated decision what to do so Ill ask the most educated people I know...JavaRanch users. My only use for whichever I choose is as a login holder that stores the customers username, whether they are paying member & their gender stat. I can do this in a cookie by just concatinating this info as such usernamePM where username is username, the P is for paying & M is for Man. Very simple to parse thru it & pull out whatever info I need at whatever time I need it. This will be used for accesing their databse info in different programs thru-out the site. The other thing these values will be used for is security. (Basically every servlet will check the values of the variables in the cookie & determine whether they are allowed to access that servlet or not. I've seen so much here about sesion time out problems & other things of this nature that Im thinking the cookie might be the simpler & possibly the more reliable choice here. When they close the browser cookie goes away.........Anyone care to comment on what they think is the most logical & most stable choice
 
SoonAnn Lim
Ranch Hand
Posts: 155
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Cooky is easier to be implemented compared to Http Session. However, you must agree that some people do not like their machine to be "assaulted" by untrusted source. So they may deny your cooky. Http Session will not have this problem and it is easier to handle in session. Just my opinion.
 
Raveendran Karunakaran
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
well, i would rather say it in this way.
i would use more of sessions to have more security. and cookies for the fancy part of remembering a customer when he logins in to the site again. cookie would be helpful in this way.
While sessions would be useful for having the customer on hold and thus when he logs in a particular password then i would check with the session and then allow him to use it accordingly.
thus sessions is for more of security and more for present than future.
my humble suggestions.
 
Sean Casey
Ranch Hand
Posts: 625
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think Session would be the safest choice. Some people seemed to be paranoid by cookies and tend to disable them, which wouldn't help you at all. I'm not an expert though, that's just my opinion.
 
Mohamed Yousuff
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I think Mr.Raveendran gave a perfect reply. He is perfectly rightly in his statement. I am of his opinion.
------------------
 
Mike Curwen
Ranch Hand
Posts: 3695
IntelliJ IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well I could be way off base here.... but doesn't using Sessions require the user to have cookies turned on?

The session ID is sent back to the browser on the first request, and is sent as part of every subsequent request. How to store this id, except as a cookie?

The alternative is the "url rewriting" but this (I don't think?) is not implemented by 'default', and the jsp/servlet coder must think to do this.

Am I wrong?
Ok, I've just tried it out.. Using Tomcat3.2.2 and IE5.0 on Windows200SP2 I had my explorer prompt me on every attempt to set a cookie. Using the Shopping cart example under webapps/examples/jsp/sessions/carts.jsp
The shopping cart does not work if I reject the cookie. It always shows just one item (the last one selected) in my basket. The first time I accept the cookie, it starts working. Which means the session is busted without cookies, unless I perform URL rewriting.

So as my friend at work is wont to say: "No cookie, no play"

[This message has been edited by Mike Curwen (edited July 03, 2001).]
 
DC Dalton
Ranch Hand
Posts: 287
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I can see all of your points here but I figured it was such a simple amount of info I was trying to keep track of that a cookie might just do it. Since we have just been shown that cookies need to be enabled to use sessions the argument of disabling cookies seems to fly right out the window. If each servlet checks for the cookie & gives an error message if it is not found I think that is rather hack proof. I've never heard of anyone being able to fake a cookie to get past something like this.......Or am I wrong there? The cookies Im setting will be deleted the minute they close the browser anyways. Also since the whole site is servlets there really is no way to view any page within the site if the cookie is missing.......Im still not sure but I think I may be swinging over to the cookie side.
 
DC Dalton
Ranch Hand
Posts: 287
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yeah Mike your absolutely right about cookies being disabled screwing up sessions. I tried it today (BTW....ignore the last post, I went with sessions...just fickle I guess) Indeed if the user disables non-persistent cookies the session will not work! Persistent cookies being disabled obviously has no effect. Very good point there Mike & one that I don't think a lot of new programmers would know! Ill have to remember that for school. 2 points!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!