[RESOLVED] trans_sid or not trans_sid?

bunner_bob

I have a number of pages on an ecommerce site I'm working on that require cookies. I considered enabling trans_sid (would have to be on every page I believe, since the user could navigate to any page and I want them to retain their session), but I was concerned that, even for users with cookies enabled, on the first page visited, URLs would have that ugly session ID added to them.

I thought/read this could be bad for search engines, and also I realize if someone bookmarks the long URL, it won't still be there next time they visit.

At present, when a user with cookies disabled visits a "cookies required" page, they get a message that they need to enable cookies. My thinking is, if they have disabled cookies, they've done so deliberately (is this true?) so they know how to turn them back on.

My client is using a program called Timpani, which allows him to watch users on the site, and see what pages they get. He's complaining about possibly losing sales when users run into the cookies message. On the other hand, search engine placement is extremely important to him.

What do people think I should do? How would you approach this?

mjax

First of all, the client only needs session-cookies for sessions to be supported without trans_sid. Most clients have this enabled by default.

bunner_bob

Right - the clients with cookies aren't the problem. Estimates as to how many clients have cookies disabled range from 1% to 20% or more. My client (the owner of the company) is disturbed by users unable to shop at his site - he's worried about lost sales to customers who don't have cookies enabled. I have argued that those users likely run into all sorts of limitations on the web, and that the cost of accommodating them (via trans_sid) in terms of possible search engine position loss isn't worth it.

I'm mainly just seeking facts to back up my position, so I can tell him to stop complaining about customers not accepting cookies.

Weedpacket

Mmm... and if you want to support people who have disabled cookies, and you want trans_sid turned off, then you'll have to put the session ID into every relevant URL by hand (with the SID constant). trans_sid is there so you don't have to do that.

MarkR

I discourage you from using trans_sid, it is a stupid (mis) feature.

Using cookies to store a session ID is the right and proper way to do it. The query string implementation suffers from session fixation and information leaking attacks, so it's hopeless for security. Cookies don't have this problem.

Plus almost all sites which have any functionality require cookies these days anyway, so if they block your site, they're also blocking many others.

Mark

tjohnson_nb

I agree, people who have cookies turned off will be very limited on the internet and so would probably not be likely candidates for internet shoppers.

bunner_bob

Sounds good to me. Passed along to client - hopefully it'll get him to relax.