Most dynamic web applications store a unique identifier about the visitor who is logged into them. Webpages are stateless. So each time the dynamic page loads it needs to know the web session this new request is i nrefrence to. Erfo session state.
Typical ways of tracking session state:
- Cookie on someone’s computer.
- Unique identifier in URL query string. https://dev.null/script.scm&session=32xt8
Attackers like stealing session state, which makes the URL query sub optimal. Cookies aren’t great either but are considered more secure by many for tracking session state.
But it occurs to me there is an awkward but interesting third way.
Dynamic apps served up by a web server recieve data from the query string when awebserver fullfills a browser’s get request. But they also recieve data from post requests which require no exposure of session in the URL or in query strings. Post data is protected by the inherent SSL connection between the web browser and the server.
Post requests require the browser to be submitting something. However in the modern age of CSS we can theme buttons as links and continously move from page to page within a dynamic set of webpages preserving session state, without cookies or having the URL intercepted.
Also such session data immediately becomes lost when you leave the application for another webpage. Which may be inconvenient if you want cookies to autologin someone every time they visit a page; but also prevents a dynamic page from tracking beyond it’s borders.
- Does anyone do this now? (Im kinda ignorant of most modern web programming after all).
- Does this breakdown in any way that isn’t obvious to me? It’s exceedingly awkward but completely plausible in my brain right now.