CODEWITHSUNDEEP
javascriptnode.jssessioncookiesexpress
scaryguy
scaryguy

Reputation: 7960

How to create sessions using client data without cookies?

I'm serving a single playlist file to the client.

Client periodically sends a new request to my server asking for the playlist file. For example once in 10 seconds.

I need to identify each client at server side.

My first attempt is using cookies. It works pretty well if the client does support cookies.

But I need to be able to identify all clients even though they don't support cookies.

Can I create a session without using cookies but using only -for example- IP and header data?

If so, how can I do that?

Requirements:

  1. The URL which client consumes can not change. Client can not add any parameters to it and client can not do anything except requesting the playlist file.
  2. One single request to the server should be enough to identify a user.
  3. All requests should serve enough data to be known by server.

I'm currently using express-session.

I assume I can get what I want with creating a middleware like express-session. But I'm not sure how exactly I can do it.

Upvotes: 0

Views: 266

Answers (2)

Brian Clifton
Brian Clifton

Reputation: 711

user1551066's recommendation is pretty solid answer (great find!)

But please keep in mind there's a point of diminishing returns when you get into edge-cases. If you simply displayed an error saying cookies are required, would that acceptable for a v1.0?

Evercookie and cookieless cookie would likely handle most of the other situations... but have ways of being thwarted. Evercookie can be stopped by using private browsing. Cookieless cookie's approach can be defeated with privacy plugins that change the values used to create the fingerprint. These storage attempts might also be considered invasive by the happy path users (who do have cookies enabled).

From a professional standpoint, I'd recommend focusing on the happy path first and just displaying an error for folks that have cookies disabled. Once you get your code up and running, then you can revisit the experience those folks have.

Upvotes: 0

SergeyAn
SergeyAn

Reputation: 764

Try to use evercookie

Or this one. It uses Etag (though, evercookie also uses etag as one of its approaches, but this one specifically uses it.)

cookieless cookie

Upvotes: 1

Related Questions