Ask a Jedi: No cookie for you!

This post is more than 2 years old.

Pat asks:

What's the best way to get around the old problem of cookie blocking? How do we keep variables current through a session, for example a shopping basket, when the user is paranoid enough to set 'accept NO cookies' ?

I'm well aware a disclaimer on the site saying 'you must have cookies enabled' would work. I'm also aware of #URLSessionFormat("xxxx")# but that creates a mess in the URL. Are there any other ways of getting around this ? If not, what's the best way to set up Application.cfc to the best advantage when using URLSessionFormat ?

I think the solution here is simple, and you already know it. If the user refuses to accept cookies, then you must maintain state via URL parameters. I'm not really sure I'd call URLSessionFormat ugly. It works, and the nice thing is that if a user does accept cookies then it knows to not add the additional items to links. The only bad thing about this feature is that you have to be extremely careful to use it everywhere, including both simple navigation links and form posts as well.

Are any of my readers supporting cookie-less visitors without using urlSessionFormat?

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA

Archived Comments

Comment 1 by Chris H posted on 3/1/2008 at 1:01 AM

i don't support cookie-less visitors on large sites. like you said, adding an urlSessionFormat() to every link/form/javascript redirect/etc. is hassle enough, but i remember it adding the variables to the URL scope even if i had cookies enabled on the first request after login or some such.

i do always check that the user is notified that he needs to enable cookies for this site every time his action fails because of it.

Comment 2 by Raymond Camden posted on 3/1/2008 at 1:02 AM

Where do you add it to JavaScript? I can't imagine that being necessary - outside of the HTTP calls done via Ajax.

Comment 3 by Chris H posted on 3/1/2008 at 1:12 AM

depends, when doing a redirect via document.location or changing the "href" attribute via document.getElementById( 'aLink' ).href = 'index.cfm?event=eventtoload&Language=English'

Comment 4 by Raymond Camden posted on 3/1/2008 at 1:21 AM

Ah true dat.

Comment 5 by Rick O posted on 3/1/2008 at 1:46 AM

I agree with Chris H. My company runs its own mid-range retail store online, and I get the support calls for the online orders. I can tell immediately if they are having problems because of lack of cookies, and I tell them quite simply that their browser is misconfigured.

Because, quite frankly, it is. Session cookies are just as vital to modern web browsing as the Anchor tag.

Modern web browsers allow you to turn off cross-domain cookies if you are really that paranoid. Any more than that is just silly.

I offer to walk them through turning them back on when possible -- some people have sysadmins that have disabled them on a network level, or via a cookie-cutting proxy server. In those extreme cases, I have a form email that they can forward to their sysadmins which explains how out of date the concept of cookie blocking is.

Same for people that turn off JavaScript.

"You must be this tall to ride this ride."

Comment 6 by James Edmunds posted on 3/1/2008 at 2:38 AM

Like Rick O, I for most sites assume that visitors will be using javascript and cookies, but I tend to test for both and provide messages like, "You have javascript turned off and some features of this web site may be lost," etc. Nevertheless, I like to test things with javascript and/or cookies turned off just to make sure the ride is at least reasonably smooth, or reasonably good at explaining what they won't be able to do.

Comment 7 by Pat Dobson posted on 3/3/2008 at 2:11 PM

I guess it's a compromise situation, you must assume that the majority have both cookies and javascript.
When I was investigating this, I noticed that Amazon (probably the biggest on-line retailer) don't support a 'no cookie' situation, they simply warn users to enable cookies. If it's good enough for them . . .
Without the useful command URLSessionFormat, how do other languages get around this issue ?

Comment 8 by Thomas posted on 4/4/2008 at 2:01 PM

Something you will notice after adding "URLSessionFormat" to your links and disabling cookies, when you run the W3C XHTML validation service:

"This page is not Valid XHTML 1.0 Strict!"

Why? The Function is placing "&" instead of "&". If you would really like to use it, you will need another Replace() around it - even uglier then before ;)

Comment 9 by Raymond Camden posted on 4/4/2008 at 4:28 PM

Or you could do it in a udf and just use the one udf for your links.

Comment 10 by Mike G posted on 11/15/2009 at 5:00 AM

I just recently ran into this issue on an ecomm site I wrote. With the spectre of a huge re-write to support the paranoid mini-masses and experimenting with onrequestend(), getPageContext(),getOut().getString() and a regex to do url rewriting to add the sessiontoken. That ought to work for all the cfm pges with links, but I no idea how to handle all the ajax js files that are linked. Any Ideas?

Comment 11 by Raymond Camden posted on 11/15/2009 at 7:58 PM

If you make your JS files CFM files then you can use the same technique.

Comment 12 by Raymond Camden posted on 11/15/2009 at 7:58 PM

Of course - I have to ask - why not juse add urlSesionFormat to the links? That handles adding the links for you if cookies aren't enabled.

Comment 13 by Mike g posted on 11/15/2009 at 10:44 PM

As far as changing Justin to cfm, I then lose the client side caching of the Js. Long term I will use urlsessionformat but will be rewriting most method calls. Need a quick turnaround solution for a production site.

Comment 14 by Raymond Camden posted on 11/16/2009 at 12:27 AM

Unless you have an absurd amount of links in your JS - would it take that long to use the urlSessionFormat? And the client can still cache CFM files. Look into cfheader to request the client to cache the result.