How do you handle keeping a user logged in or updating a cart when you can’t use sessions? adding the userId or cartId to hidden input fields feels like a security flaw
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How do you handle keeping a user logged in or updating a cart when you can’t use sessions? adding the userId or cartId to hidden input fields feels like a security flaw
Adding a session-like ID to every form (and every plain link outside forms too, if you want to be able to keep state over browsing) is indeed the way it was traditionally done when you can’t use cookies.
It’s such an pain to implement parameter-sessions (with ugly
/page.php?session=459gj0tv789yn-style links), it breaks cacheing and users can’t copy-and-paste links in case they accidentally share sessions. For these reasons, most sites don’t bother with this any more, and simply require cookies.Another thing you can do is use HTTP Basic Authentication to allow the user to sign into an account, and store all session information on the account. This is a bit less convenient for a shopping cart as you have to require the user to sign in before they put anything in a cart, but in the general case it’s a good alternative to cookies.