DOWNLOAD THE CODE:
Download the Code 93529.zip

Besides using the session manager for managing Web sessions, you can use it to assign pseudo values to items such as product codes. This way, even though the values are passed in plain sight, they mean little to users.This usage involves the use and frequent replacement of nonsequential GUIDs, which I'll discuss shortly.

How to Use the Web Session
To use the new session manager, you need to pass the GUID on every page.To do this, append the GUID to the URL string when the next page is called in code: 

<!DOCTYPE HTML PUBLIC
  "-//W3C//DTD HTML 4.01
  Transitional//EN"
 <html>
 <body>
 <a href="page2.asp?
  <%=guid%>">Click her
  e to go to next page</a>
 </body>
 </html>

If you don't pass the GUID as a URL parameter on every page, the values you've stored in the Sessvars table will be stranded from the user's session.

The URL method adds a little bit of overhead to your coding because you need to be disciplined about reading and passing the values on every page. However, you can use an include file for this purpose and even add it to your Web template.To do this, you package the code in a separate file, then use the #include directive at the top of the page's code to include the file. Using the HTML example just given, your page's code would look like the following: 

<!--#include virtual
  file="/scripts/
  sess_mgr.asp" -->
 <!DOCTYPE HTML PUBLIC
  "-//W3C//DTD HTML 4.01
  Transitional//EN"
 <html>
 <body>
 <a href="page2.asp?
  <%=guid%>">Click here
  to go to next page</a>
 </body>
 </html>

In this example, the #include directive tells the compiler to execute the code contained in the sess_mgr.asp file before rendering the page.You should note that the SQL Server 2000 newid() function doesn't generate sequentially ordered GUIDs, so you can't use the GUID itself to determine when a value was added or changed. This benefits our security scheme. However, in SQL Server 2005, you'll find a new GUID function named newsequentialid() that does, as its name implies, generate sequentially ordered GUIDs. The downside to sequentially ordered GUIDs is that it's possible to guess the next GUID if you know the sequence. For this example, you should continue to use newid() in SQL Server 2005, which is still supported.

You'll find it becomes second nature to use the session manager on every page, especially when you derive the concomitant benefit of tracking user-specific inputs that will let you customize the user's interaction with your Web site during the session. Keep in mind that the Sessvars table could quickly grow to an unwieldy size unless managed, so you'll need to set up a job to routinely delete old entries. For example, to delete entries more than 12 hours old, use this stored procedure: 

CREATE PROCEDURE del_sessvars
AS
DELETE FROM sessvars 
WHERE DateDiff(hh,SVar_Date,Get
  Date()) >= 12

If you have a high-volume site, run this stored procedure frequently, perhaps even once per hour.You might also want to use a value less than 12 hours.This will keep the Sessvars table small and efficient, so it produces no drag on your page views. Also be sure to index the GUID column, as this column gets used every time the Sessvars table is queried or updated.

Don't Assume Your System Is Secure
The session manager involves the use and frequent replacement of nonsequential GUIDs. However, even with this method, your security might still be at risk. For example, if you use dynamic SQL instead of stored procedures, you're providing a road map for potential hackers, whether human or disguised as Internet bots. Admittedly, it takes an extra step to write the stored procedure that deletes old entries, but the extra security makes it worth doing. Don't blithely assume yourWeb site code and database calls are secure. Also, be sure you've taken steps to secure your SQL Server database from escalation and SQL-injection attacks.

Cookies Crumble, Web Sessions Persist
The overall advantage of passing URL strings is to persist a Web session indefinitely. If the user opens your page on Monday, leaves the browser open, then leaves town and comes back on Friday,the"session"will still be active. This is because it isn't really a session at all,but a SQL Server database alternative for keeping track of users as they navigate from page to page, without cookies and without encountering a session timeout.

End of Article

Prev. page     1 [2]     next page -->



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Excellent article! I will try to implement this on our site.

bershi- December 05, 2006

Article Rating 5 out of 5

----- Original Message ----- From: Carsten Cumbrowski Subject: SQL Mag Article 12/2006 - Cookie-Less Session Manager

Hello Susan, I saw your Cookie-Less Session Manager Article in SQL Magazine 12/2006. I developed myself various enterprise ecommerce solutions and the shopping cart basically works similar how you described it in the article. I usually generate the ID a bit different, but that is not the reason why I am writing you. I also happen to be an Internet Marketer who knows quite a bit about well, marketing a website on the internet. One important aspect of internet marketing are search engines. Even the big brands can not ignore the importance of being visible there, not only in the sponsored results via Pay-Per-Click Ads, but also in the organic listings. If a developer implements your cookie-less solution into a e-commerce solution, then can the merchant who is using it prepare himself to pay a very high bill to a Search Engine Optimization Company and the Web Development Company again. The merchants often realize the issue very late in the game once they got the idea to setup some web analytics and notice that their search engine traffic is very low or in some cases even non-existent. The Cookie-Less session passed in the url would be especially a problem if you assign the Idea to every visitor who is browsing the site without even having something added to the shopping cart. You only end of with minor problems if the catalog can be browsed without having a session variable passed along in the URL and only gets created and passed along once the user adds a product to his shopping cart. If every visitor gets right away a session ID then you are risking to get a major "Duplicate Content" issue with some or all search engines. search engines try to work around those sessions and detect them, but their detection does not always work properly. The value in the URL other issues too which I will not elaborate further at this point. Also from a security point of view do I see issues with it. Your check of the IP and User Agent is not fail-safe and gets more of an potential issue the larger the site is and the higher the traffic. High traffic websites have a lot of hits from different people with the same IP (proxy) and same user agent (there are not very much variations out there). Regardless if they do or not is it something you should avoid as much as you can to not put yourself into the position that you need to add a lot of code just that search engines will be able to crawl a site properly. There are different options available, but none is simple or cheap. It could also happen (worst case) that a change of code will not do any good anymore, because of a permanent penalty or ban of the domain by search engines. It can take a lot of time and efforts to get the penalties removed and the site re-crawled again. You can find more resources to the issue of "duplicate content" here http://www.cumbrowski.com/CarstenC/seo_duplicate_content_issues.asp The resources go far beyond sessions passed in URLs, but is one of the most common ones that causes problems for webmasters. Learning about the problem in general does not hurt anyway, because other mistakes in site design can create the same effect as well. I hope this makes sense to you. If you have any questions, let me know. Merry Christmas!

DianaMay- December 27, 2006

Article Rating 5 out of 5

Sent: Wednesday, December 27, 2006 8:05 AM Subject: Re: SQL Mag Article 12/2006 - Cookie-Less Session Manager

Hi Carsten, Thanks for taking the time to write. The concepts presented in the article would apply to areas of a site that require user tracking, which can vary significantly depending upon the application. There are trade offs with every method. Developers must weigh the advantages and disadvantages of each. You are correct that a check of the IP and User Agent is not failsafe, because it is not unique, but I consider it a good method for small to midsize operations, which comprise the majority of websites. Assuming you expire the IP / User Agent pair frequently, the statistical chances of duplication for the average site ~ at a given point in time ~ are extremely minimal unles you are Google or Amazon. In that event you have a $1M annual budget for web development with the flexibility to redirect for every contingency. As to organic listings, in my opinion these are getting less and less reliable as search engines rely on paid clicks to drive their stock prices. Paid advertising is becoming de rigeur for most operations and should be factored as a cost of doing business. We have successfully driven traffic to our customers' sites using a very small advertising budget. In any event, I very much appreciate your feedback on the article. Have a Happy New Year. Regards, Susan

DianaMay- December 27, 2006

Article Rating 5 out of 5

Internet Marketing is obviously not one of your expertise's or you know exactly what I am talking about and have some stakes in a Paid-Search Marketing Agency. Session IDs passed in the URL create issues for search engines. They try to determine them and try to filter them out, but that does not always work and sometimes stop SE simply to index your site if they decide that it is not worth the hassle to figure out the "mess" created by changing urls that return an exact duplicate of another page with a "different" url. I have not even started to talk about other problems because of this, because they all do not matter if your site is virtually not existent in the Search Index. The problem described does not just affect the Amazons (who is optimized btw. and modified to prevent duplicates from being indexed, but to explain what they did is beyond this issue here). Any Site that is Database driven (dynamic content) is affected. Developers ignoring this will not make friends with the marketing department and execs or owners once they find out why their website is nowhere to be found in the organic or free results of the search engines where 80+% of the users still decide to click through. I can only suggest to anybody to be very careful with the implementation of this solution as is without doing some quick research on Search Engine Optimization (SEO) Basics or your company might has to pay a hefty price tag afterwards to "fix" the problems you, the developer, created.

cumbrowski- January 01, 2007

Article Rating 2 out of 5

Hello Susan, I tested de code in listing 7 and I think that I found a little mistake. When GUID exists, code in listing 7 call gen_new_guid() (line 21) function again, I suppose that in this line the correct function is upd_guid(). I am correct ?

jcarvalhojr- January 10, 2007

Article Rating 5 out of 5

 
 

ADS BY GOOGLE