tracking users without cookies

Hi,

i have a kind of shopping cart on my web page - the user can log in with his name and password. Then i create an unique identifier for that user, save it on the server (i am using Perl and MySQL) and of course i somehow have to save this Unique id on the client's side, too. But i want to implement a solution without cookies, and i need a hint here: how is it done?
BTW: security isn't very important.

Thanks,
Chris

<BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by chr1701:
Then i create an unique identifier for that user, save it on the server (i am using Perl and MySQL) and of course i somehow have to save this Unique id on the client's side, too. But i want to implement a solution without cookies[/quote]

Presume that the session id you generate is 12345:

Why not just add the session id to the URL's and hidden form fields? Then the user can do their business without cookies. The URL's could even have the session id as PATH_INFO, i.e.
http://www.mydomain.com/script.cgi/12345?do_something

Then you could fetch the session id from $ENV{PATH_INFO}

Ah, i didn't know the PATH_INFO thing. Thanks!

Right now i am doing what you suggested - appending the unique key to all links.

a href="index.cgi?UniqueKey=324234"

This is not perfect - i.e. i wanted to have different cgi files like index.cgi, register.cgi, etc. If the user would type in the URL by hand while he's logged in, instead of clicking on a link, he'll lose his unique key.

But i guess there's no way to avoid that...?
(Well, I could use only one cgi file instead of many, or make the filenames unreadable, that the user is no longer able to write it by hand...)

Chris

<BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by chr1701:
This is not perfect - i.e. i wanted to have different cgi files like index.cgi, register.cgi, etc. If the user would type in the URL by hand while he's logged in, instead of clicking on a link, he'll lose his unique key[/quote]

You can check for the session key when the script is invoked, and if one doesn't exists you assign one and redirect them to the same place. Here's a simple example using CGI.pm:

use CGI qw/:html/;
$q = new CGI;
$session_key = $q->path_info();
$session_key =~ s|^/| |; # get rid of the initial slash

# If no valid session key has been provided, then we
# generate one, tack it on to the end of our URL as
# additional path information, and redirect the user
# to this new location.
unless ($session_key =~ m{^d+$}) {
$session_key = generate_session_key();
print $q->redirect($q->url() . "/$session_key");
exit 0;
}

sub generate_session_key {
my $key;
do {
$key = int(rand(1000000));
} until (! -e "$SESSION_DIR/$key");
return $key;
}

<BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by vpopper:
You can check for the session key when the script is invoked, and if one doesn't exists you assign one and redirect them to the same place. Here's a simple example using CGI.pm:
[/quote]

Hmmm... that's a good idea, but if the user's already logged in i will lose that info and he will have to login again.

When the user logs in i am saving the following information on the server side:
- the username
- the unique key
- a timestamp when he logged in

And when the user's logged in but then enters a URL by hand, and he therefore gets a new unique key, i don't know his username. He would have to enter it again.

Chris