Solved

HTTP Header instead of QueryString

Posted on 1998-08-28
11
354 Views
Last Modified: 2013-12-23
Hi Experts,
this is a very hard question.
I will adjust the points up to 1000 if it seems that there is a solution.

When you log on to experts-exchange, a HTTP header is sent, like "Experts Exchange member".
So you are logged in.

If you come to http://www.baukreis.de, you will get a unique HTTP header:
ETag: "df011-232b-35dd3842".
This is your customer ID or Session ID.
So you are "logged in".

If you know anything about server-side programming and shopping carts, you will know what it means: The customer needs a unique customer ID for that the shopping cart is not going to be lost. This ID must not be lost, too.

(http://www.baukreis.de is using software from http://www.shopsite.com.)

Usually, the customer ID is evaluated through the QueryString.
Shopsite does it through the HTTP header.

---
My problem is: Every time I am linking to a HTML page, the query string is lost.
Not at experts-exchange.com, not at baukreis.de, because they are using HTTP headers, which also work for HTML pages.
---

I know how to send a HTTP header with Perl, or ASP, or Visual Basic, but only for the document itself...
But I wish to send the header also with HTML documents sent to a unique customer.


---
Questions:

1. How does Shopsite manipulate servers to send that HTTP header tag to a unique customer (especially I am interested in Internet Information Server)?
How can I do this?
(Usually, I am working with Visual Basic, but C++ sources would be accepted.)

2. The browser has received this tag. What does he send to the server (to show that it is the same as before)?
How does the server process this information? How does it know, if to send a new or the once-sent header?

3. How can I use a unique HTTP header tag instead of the QueryString?


---
Thank you.
Hope it was clear enough, sorry for the bad English.
Robert
0
Comment
Question by:soeding
  • 5
  • 3
  • 3
11 Comments
 
LVL 75

Accepted Solution

by:
Michel Plungjan earned 200 total points
Comment Utility
Send a cookie instead,
Http header is
Set-Cookie: Name=mycookie; path=WhatDirectoriesMayReadThis; expires=DateInUTCformat

In perl it is something like

print"Content-Type: text/html\n";

print "Set-Cookie:ORDER=",$name,"; path=/; expires=Wednesday, 19-Nov-99 23:12:40 GMT\n";

The page itself can set the cookie with
<META HTTP-EQUIV="Set-Cookie" CONTENT=".............">
or by using JavaScript
<SCRIPT>
document.cookie="..............."
</SCRIPT>

With the expires you can control how long the cookie lives  - if not used, the cookie expires when the browser is closed.

Any cgi invoked from a document with a cookie set will send an HTTP-COOKIE header back to the server.

Michel
0
 
LVL 1

Author Comment

by:soeding
Comment Utility
Hi mplungjan,

you proposed a solution, but you did not answer the questions.
Your answer contains solutions for 4 programming languages: You were thinking. Therefore you will get the points.

I should have said that I do not want to use Cookies, because some users do not like it.
I was looking for a real great solution, not invoking the browser.
Because I did not tell, you will get the points.

In the meantime, I found a solution which neither uses Cookies nor the QueryString.
It is not depending on the browser or the user's preferences.

What's the solution?
Oh my, what's the only number a user is identified with, withOUT all code?
You may post it as a question ... it's genious (and easy).

Thank you.
0
 
LVL 1

Expert Comment

by:Patricia080698
Comment Utility
yes mplungjan but can we send other information for example the name, the telephone number or and other information with this cookie ?
0
 
LVL 1

Expert Comment

by:Patricia080698
Comment Utility
yes mplungjan but can we send other information for example the name, the telephone number or and other information with this cookie
0
 
LVL 1

Expert Comment

by:Patricia080698
Comment Utility
soeding, I am willing to give points for your answer, I am also having the same problem. I am actually trying to use session object. But not advancing a lot, so If you can lend me a hand it would be really appreciated. Thanks.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 75

Expert Comment

by:Michel Plungjan
Comment Utility
Hi soeding and Patricia.

If you use an authorisation scheme to protect your pages, after successful logon, the http requests will send the userid in an http field form the browser until the browser is closed. If that is what you meant, I am sorry. That is a given. I thought you had another problem.

REMOTE_ADDR=nnn.nnn.nnn.nnn - IP Address - always there
REMOTE_USER=xxxxx - User id, set by http authentication

Ok, cookies are out IP addresses and userids are in -

IP adresses wrok fine except when the ISP gives you a virtual IP address every time you log on.

If you are happy to loose the info after the user cuts the connection and re-establish it without closing the browser, you are in business (assuming the ip address was what you had in mind)

Check this page out:
http://www.webthing.com/tutorials/login.html


0
 
LVL 1

Author Comment

by:soeding
Comment Utility
mplungjan, Patricia,
great, that's it!

mplungjan,
I am sorry that I cannot give you the points for the other answer.
I would, but there is nothing on the page to do that...?
0
 
LVL 75

Expert Comment

by:Michel Plungjan
Comment Utility
Soeding, I am not sure I understand the second part.
Would you repeat the question you didn't feel was answered?

Thanks,

Michel
0
 
LVL 1

Author Comment

by:soeding
Comment Utility
mplungjan,

actually, http://www.baukreis.de holds the client state without cookies or query string (deactivate cookies before testing).
How do they do this?
(You do not need to answer. It's very hard, therefore the "1000 points".)

If you are interested in that question, see
http://www.experts-exchange.com/topics/comp/lang/cplusplus/Q.10078309

Besides, the IP address may change, as I experienced :-(
0
 
LVL 75

Expert Comment

by:Michel Plungjan
Comment Utility
What I see (without looking hard) is that baukreis are using hidden form fields and cookies on their site - not hard at all.
To write an ISAPI filter sounds a bit over the top to me since a basic authorisation will send whatever userid you assigned to the user with all requests.

Good luck, though

Michel
0
 
LVL 75

Expert Comment

by:Michel Plungjan
Comment Utility
PS: The reason you do not see the state in the query string is, that they POST their hidden forms.

Michel
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now