Are session variables accessable?

I can't seem to find much information on this, I think they use cookies which means they are not accessable would this be correct? Do cookies meet W3C and WAI standards?

 

Just turned off cookies and my prototype site falls over. Damn damn f**king b**l**ks.

I don't know what to do to for the best. Can mobile devices use cookies? The target audience is British people and I believe most british people have cookies turned on.

Now for the big Zerogain test, lets see how VB copes with cookies turned off.

 

ok the username and password is still being stored even though different pages are being displayed so it can be stored locally.

How does this work? I notice there is somthing in the query string, is my username and password encrypted? What ever solution VB has used for this I think I will use in my site.

 

AT, as far as I understand them, session variables are a combination of a server side "session" which corresponds with a special local cookie (an LTPA token) which is not like a std text cookie. The server then compares its server session with the PC's token to maintain a state of authentication.

 

Thats pretty much what I have read. As far as I can see I have three solutions

1) Using encrypted querystrings
2) Posting data in the hidden attribute in the form
3) Working out if session variables can be used without cookies in anyway.

I know there is application variables but I am sure there was some problem with using these.

 

I guess your options depend on the web server/app server platform you are running...

 

ASP.NET, I have tried to use postback where possible but its not always an option.

 

Fortunately the platform we use just takes care of this kind of thing for us and leaves us to write the logic, workflow, data management, etc. just referring to single statement functions to ascertain authentication status, user name, access rights/roles, etc. However the protocols (LTPA tokens and their reference) are ultimately the same at the browser end.

Personally I would avoid relying on Query Strings too much - as an application grows, QS management/slicing etc. can get extremely complicated between pages of different types, particularly when you are relying on several QS variables drawn from different sources.

However if you want to maintain state without authentication - eg. a shopping basket without being logged in, where a user only logs in when the head for the checkout - then I think you will need to use standard cookies?

 

Thats how I have done it in the past, but they still need to be turned to use them don't they? The problem is this site has ot be used on mobile phones etc. A big part of my desertation is going to be about accessability and becuase cookies cna be turned off it means not everybody can use the site.

What you have just said about querystrings is the exact reason I have avoided them in the first place. I will look into this in some detail and then decide what to do. I am continueing to develop the system that uses session variables at the moment because it won't be too hard to program it.

I am also trying to avoid a lot of .NET web controls such as the datagrid because that code does not comply to WAI standards.

I am started to wish I hadn't bothered with all these standards now, I just wanted my disertation to stand out a bit.

 

I have fixed the cookie problem, asp.net allows you to set a cookieless=true property in the web.config file.

Instead of passing the sessionID to a cookie it passes it via the URL however is this URL W3C valid?

http://localhost:86/(30mu3dvgy5bfwo454orwrcrw)/components.aspx

I am not sure if I like the brackets or not.