Originally Posted by tpeck
One user's answers would wipe out another's, wouldn't they?
Cookies are not saved on the *SITE*. They are saved on each user's personal computer.
You and I must have a very different view of a typical intranet. The one I work with, as an example, has two central servers (one is just for the database, one is for the web server as well as various other applications) and about 60 individual workstations. At this company, each person is assigned his/her own workstation and, except for supervisors, no one is allowed to use another person's workstation. So, for all practical purposes, it is no different than an internet (just that nobody can connect from the outside world except through a tightly controlled and ip-address-managed firewall). An employee turns on his/her workstation, brings up a browser, and hits the web site using an internal URL (that is, something like http://mainserver
, rather than specifying a www. or .com or whatever external URL...the local DNS server of course knows about all the internal "sites" and so never goes outside the local network to connect). And when the connection is made, the "mainserver" puts a cookie on the individual user's computer that identifies his/her session.
All in all, no different at all than an inTERnet connection.
You say you need to avoid cookies: I would hope and presume you mean that applies to external users. Clearly, for inTRAnet users, you should be able to dictate what they will and must do, which would include keeping cookies turned on at all times.
Cookieless session state isn't too hard to do, but it is even more intrusive than cookies, in my opinion. There are really only two ways to do it: (1) *ALL* movement between pages *MUST* be done via <form> submittal, and usually is done with <form method="post">, and the encrypted session identifier is stored in an <input type="hidden"> field in the <form>. (2) The encrypted session identifier is passed as part of a query string in every moverment from page to page. This is a common mechanism in some JSP frameworks, where you will see "xxx.do?sessionid=818X!GMaa9Zaa" or worse.
Remember, in either of these cookieless scenarios, *ALL* page to page movement must be done this way. So even a navigation menu would have to be something like
<a href="home.php?sessionid=818X!GMaa9Zaa"> Home </a>
<a href="catalog.php?sessionid=818X!GMaa9Zaa"> Catalog </a>
<a href="contact.php?sessionid=818X!GMaa9Zaa"> Contact Us </a>
or, using forms:
<input type="hidden" name="sessionid" value="818X!GMaa9Zaa"/>
<input type="submit" name="gotoPage" value="Home"/>
<input type="submit" name="gotoPage" value="Catalog"/>
<input type="submit" name="gotoPage" value="Contact Us"/>
(And then "transfer.php" examines the value of $_POST["gotoPage"] and indeed transfers to the appropriate page.)
And so on. If you ever make a movement to another page *without* passing the sessionid, then the entire session connection is lost and can only be restored by logging in again.
Are you *SURE* you want to try to do this without cookies?