How important are cookieless sessions? Should a web application framework provide support for them?

We are programmin开发者_如何学Pythong a new web application framework (Second WAF). I was wondering if we should support cookieless sessions or not.

Who use it and who needs it?

---

I was wondering if we should support cookieless sessions or not.

I think this depends largely on your userbase. In my organization we support several intranet applications. We also control our users desktops. Since we control their desktop environment we can control browser settings and ensure cookies are enabled. Because of this and the increased risk of session hijacking, there is no reason for us to ever allow cookieless sessions.

Who use it and who needs it?

Those who need to support sessions regardless of the end users' browser settings would need to implement cookieless sessions; keeping in mind the implications of doing so.

---

It is a good feature, but several aspects have to be taken into account

• what if an URL containing session ID is cached by a web spider such as Google, will you be able to provide content if the ID in session is other than the ID provided in URL
• security. If you don't implement it smart enough, users will be able to send a URL to another user, where the URL contains the session ID and hence, allowing hijacking the first user's session. For instance, in ASP.Net1.1 the cookieless session mechanism was considered vulnerable