November 20, 2006 12:00 AM

Cookies Crumbling?

Track users and foil intruders with this cookie-less session manager

SQL Server Pro

InstantDoc ID #93529

Downloads
93529.zip

Managing user sessions across Web farms and platforms continues to be one of the paramount challenges in developing high-availability Web sites.As I explored in "A Recipe for Replacing SessionVariables" (March 2006, InstantDoc ID 49114), using cookies in combination with SQL Server stored procedures and a globally unique identifier (GUID) generator is one way to propagate sessions seamlessly across platforms without the need for resource-intensive session variables. But some users have become distrustful of cookies, and Web developers can make no assumptions about the availability of user cookies to manage Web sessions.

You can still achieve a persistent state without cookies by using SQL Server stored procedures, a GUID generator, and URL parameters. Some developers avoid URL parameters because they're visibly passed from page to page. Instead, they prefer to pass values using hidden fields. Either way, the results aren't secure. Passing any information is a potential security risk. Therefore, the values passed from page to page should be as obscure as possible. I like to use GUIDs because they don't really reveal anything useful to potential hackers but still let the session persist as long as necessary. I'll walk you through the techniques I use to set up a SQL Server-based cookie-less session manager. I'll also discuss how the session manager works and ways to use it.

How to Create a Cookie-less Web Session
Creating a SQL Server-based cookie-less session manager is easy. Here's the four-step process I use:

Step 1: Set up the GUID generator in SQL Server. For this example, I'm using the built-in GUID generator that ships with SQL Server, which is a simple function call named newid(). Keep in mind that uniqueness is guaranteed only on the host machine. However, because I'm setting it up so one database server is managing sessions, this is perfectly suitable for my application. I start by writing a simple stored procedure that generates a new GUID, as you can see in Listing 1.

It's logical to use GUIDs. These are unique, nonsequential values that have no meaning to users but can be tracked in the database just like a user ID. For simplicity, in this example I use the rightmost 12 characters of the 36-character output of the newid() function. If you have a very busy site, you'll probably want to use the entire value, but keep in mind that long values take longer to index. A shorter value improves indexing performance but might not provide sufficient uniqueness for your application.

Step 2: Test the GUID generator. To test the stored procedure, I use an Active Server Pages (ASP) page. Listing 2 shows this page's test code inVBScript. (Web Listing 1 shows a Visual Basic version of this code at http://www.sqlmag.com, InstantDoc ID 93529.) This code opens the connection to the SQL database, then executes the stored procedure that generates the GUID value used to track the user's activity.

In a Web browser, the output from this page will look something like this:

7ED986BFB37C

Every time the page is loaded, a new value is produced.The newid() function is native to SQL Server and calling it from a precompiled stored procedure adds very little overhead compared to ASP session variables, which consume considerable amounts of server memory.

Step 3: Set up Sessvars table and stored procedures. Next, I create a SQL Server table called Sessvars to store the GUID and my first two session variables. Listing 3 contains the code that creates this table.

After creating the Sessvars table, I need a few stored procedures to update it at various points in my application. The first stored procedure, which Listing 4 shows, appends the GUID that's generated on the first visit to the Web page to the new Sessvars table. This GUID becomes the seed value for subsequent pages. The second stored procedure, which Listing 5 shows, swaps the seed value with another GUID. The purpose of the swap is to keep refreshing the URL string with a new value, thus making it very difficult for a Web user to extrapolate the scheme. The third stored procedure, which Listing 6 shows, selects the latest GUID from the Sessvars table based on the last value used.

Step 4: Create the session manager ASP page. Finally, I combine all these elements to create a functional ASP session manager, as Listing 7 shows. In this code, I use only one connection to the SQL database per page load. Making the first connection to the database is usually the slowest operation in the application. Therefore, I reuse this connection instead of opening a new connection for every call to the database. Closing the connection at the conclusion of the page doesn't immediately close the physical connection, but because I don't know when the user's session will expire, it's important to clean up so that the connection can be properly released when the application goes out of scope.

How the Session Manager Works
The session manager starts by generating a new GUID when a new user visits a page on yourWeb site.The GUID becomes the user's temporary ID.This value is then transmitted to every subsequent Web page as a URL parameter. You can store it in the Sessvars table, then use it when needed to look up additional values, such as the last page visited, the product number just added to a shopping cart, or any number of other user-related data items you want to persist across the session.

For additional security, the session manager generates a new GUID every time a new page is loaded. By frequently replacing the GUID values in the Sessvars table, you'll keep hackers guessing. A hacker would need to actively monitor your site in real time and somehow guess both the database schema and how the GUID could be used against it. By the time this would happen, the GUID would be already replaced with the next value or expired with the session, rendering it useless to any would-be intruders.

First
Previous
1
2
Next
Last

Related Content:

ARTICLE TOOLS

Jose

5 years ago
Jan 10, 2007

Hello Susan, I tested de code in listing 7 and I think that I found a little mistake. When GUID exists, code in listing 7 call gen_new_guid() (line 21) function again, I suppose that in this line the correct function is upd_guid(). I am correct ?
CARSTEN

5 years ago
Jan 01, 2007

Internet Marketing is obviously not one of your expertise's or you know exactly what I am talking about and have some stakes in a Paid-Search Marketing Agency. Session IDs passed in the URL create issues for search engines. They try to determine them and try to filter them out, but that does not always work and sometimes stop SE simply to index your site if they decide that it is not worth the hassle to figure out the "mess" created by changing urls that return an exact duplicate of another page with a "different" url. I have not even started to talk about other problems because of this, because they all do not matter if your site is virtually not existent in the Search Index. The problem described does not just affect the Amazons (who is optimized btw. and modified to prevent duplicates from being indexed, but to explain what they did is beyond this issue here). Any Site that is Database driven (dynamic content) is affected. Developers ignoring this will not make friends with the marketing department and execs or owners once they find out why their website is nowhere to be found in the organic or free results of the search engines where 80+% of the users still decide to click through. I can only suggest to anybody to be very careful with the implementation of this solution as is without doing some quick research on Search Engine Optimization (SEO) Basics or your company might has to pay a hefty price tag afterwards to "fix" the problems you, the developer, created.
Diana

6 years ago
Dec 27, 2006

Sent: Wednesday, December 27, 2006 8:05 AM
Subject: Re: SQL Mag Article 12/2006 - Cookie-Less Session Manager

Hi Carsten,

Thanks for taking the time to write. The concepts presented in the article would apply to areas of a site that require user tracking, which can vary significantly depending upon the application.

There are trade offs with every method. Developers must weigh the advantages and disadvantages of each. You are correct that a check of the IP and User Agent is not failsafe, because it is not unique, but I consider it a good method for small to midsize operations, which comprise the majority of websites. Assuming you expire the IP / User Agent pair frequently, the statistical chances of duplication for the average site ~ at a given point in time ~ are extremely minimal unles you are Google or Amazon. In that event you have a $1M annual budget for web development with the flexibility to redirect for every contingency.

As to organic listings, in my opinion these are getting less and less reliable as search engines rely on paid clicks to drive their stock prices. Paid advertising is becoming de rigeur for most operations and should be factored as a cost of doing business. We have successfully driven traffic to our customers' sites using a very small advertising budget.

In any event, I very much appreciate your feedback on the article. Have a Happy New Year.

Regards,

Susan
Diana

6 years ago
Dec 27, 2006

----- Original Message -----
From: Carsten Cumbrowski
Subject: SQL Mag Article 12/2006 - Cookie-Less Session Manager

Hello Susan,

I saw your Cookie-Less Session Manager Article in SQL Magazine 12/2006.
I developed myself various enterprise ecommerce solutions and the shopping cart basically works similar how you described it in the article. I usually generate the ID a bit different, but that is not the reason why I am writing you.

I also happen to be an Internet Marketer who knows quite a bit about well, marketing a website on the internet. One important aspect of internet marketing are search engines. Even the big brands can not ignore the importance of being visible there, not only in the sponsored results via Pay-Per-Click Ads, but also in the organic listings.

If a developer implements your cookie-less solution into a e-commerce solution, then can the merchant who is using it prepare himself to pay a very high bill to a Search Engine Optimization Company and the Web Development Company again. The merchants often realize the issue very late in the game once they got the idea to setup some web analytics and notice that their search engine traffic is very low or in some cases even non-existent.
The Cookie-Less session passed in the url would be especially a problem if you assign the Idea to every visitor who is browsing the site without even having something added to the shopping cart.
You only end of with minor problems if the catalog can be browsed without having a session variable passed along in the URL and only gets created and passed along once the user adds a product to his shopping cart. If every visitor gets right away a session ID then you are risking to get a major "Duplicate Content" issue with some or all search engines. search engines try to work around those sessions and detect them, but their detection does not always work properly. The value in the URL other issues too which I will not elaborate further at this point.

Also from a security point of view do I see issues with it. Your check of the IP and User Agent is not fail-safe and gets more of an potential issue the larger the site is and the higher the traffic.
High traffic websites have a lot of hits from different people with the same IP (proxy) and same user agent (there are not very much variations out there).

Regardless if they do or not is it something you should avoid as much as you can to not put yourself into the position that you need to add a lot of code just that search engines will be able to crawl a site properly. There are different options available, but none is simple or cheap. It could also happen (worst case) that a change of code will not do any good anymore, because of a permanent penalty or ban of the domain by search engines. It can take a lot of time and efforts to get the penalties removed and the site re-crawled again.

You can find more resources to the issue of "duplicate content" here http://www.cumbrowski.com/CarstenC/seo_duplicate_content_issues.asp
The resources go far beyond sessions passed in URLs, but is one of the most common ones that causes problems for webmasters. Learning about the problem in general does not hurt anyway, because other mistakes in site design can create the same effect as well.

I hope this makes sense to you.
If you have any questions, let me know.

Merry Christmas!
BERNARD

6 years ago
Dec 05, 2006

Excellent article! I will try to implement this on our site.

You must log on before posting a comment.

Are you a new visitor? Register Here

Unattended Silent Server 2008R2 and SP1 install showing progress
Dear all, I have managed to create a Batch file which successfully installs SQL Server 2008R2 Cl...
SSMS & SSDT 2012 install on XP
I recently attempted to install SSMS 2012 on my XP workstation and it came up with a error that the ...
byte order mark (BOM) issue
hi all , I am having a sp which generates a dat file , as follows \n BEGIN ...
ITF14 barcode generation control for reporting services
ITF14 barcode generation control for reporting services easily add itf14 barcode images to r...