My apologies if this has been posted before. Searching didn't turn up anything.

I'm trying to find a fairly straightforward way to track users without cookies using Apache since some people delete/block cookies. I'm sure this can be done but information on how is fairly scarce on the web.

There must be simple way to do this. Any suggestions?

Thanks!

Not sure how to do it, but the theory is pretty simple. Instead of storing the session ID in a cookie, you store it in the URL, in a request variable. Note that this completely screws up caching on your clients, though. It also screws up Google (Google will index your pages using a URL with some session ID, and then people will try to click on Google's links, but that session will be expired.)

There might be another option: use hidden form fields (<input type="hidden" value="sessionid" />). This should work if all your pages are forms to be submitted, not links to be followed. (And in that case, Google won't be affected, either, because AFAIK it won't follow form POSTs, only links.)

I've come up with a possible way to do this with mod_rewrite. It should also enable me to solve the search engine crawler problem.

I can use mod_rewrite to change URLs on the fly to include a tracking #. It should also be able to detect crawlers and serve up the normal URL.

The problem I have right now is I can't figure out how to get the inital tracking number. I have to use an external script I think. Not sure how to handle that.

Anyone know how to do something like this?

Thanks!

This may be a rediculous answer, but if you programming in PHP you can use IP like I did. Mind you it requires useing the database to store session information using the IP as a primary key (or at least thats how I implemented it). I also recognize that there are many times where this will simply not work, so I appoligize if it is of no help.

!THIS IS NOT MY CODE! I have the writter acknowleged in the web app documentation somewhere but I don't have time to look it up.


/*function getIP($type)
*
* parameters:
* $type specifies if you want the md5 value of the ip or just the string
* 0 ip string
* 1 md5 value
*
* This function obtains the ip in any situation for use with the cart functionality so
* that the user will be able to keep track of the items they have bought.
*/


function getIP($type)
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else {
$ip = "unknown";
return $ip;
}
if ($type==1) {return md5($ip);}

if ($type==0) {return $ip;}
}

Not sure if you want to "track" your users only during the session (I guess so based on the follow-ups), but if so wouldn't it be possible to just use a session variable in PHP/ASP/whatever server-side language you use?

What I mean is something like this to store the data (ASP.NET):
Session.Contents("VariableName") = "some data"
and to retrieve it into myVar:
myVar = Session.Contents("VariableName")

but I guess you will have thought of that already and this won't suit your needs :)

Ludootje: That would work, except the web server needs to have a way to associate each subsequent request with the proper session. HTTP has no way to do that on its own; that's what the session ID is. (CanadaMan: Same thing applies to using mod_rewrite. You have no way to know what the session ID should be on future requests.)

ASP.Net uses a cookie to track your sessions by default, but it can be configured to put the session ID into the URL. There's no option to use a hidden form field, although ASP.Net does use a hidden field for the "view state" (something orthogonal to the session; the view state is where various properties -- like visibility -- of various server controls get put, so they stay the same if you modify them in code at the server and you don't have to recompute them all the time).

(BTW: Been a while since I've heard from you! ;))

I guess I should be a little clearer on what I'm looking for.

We have some customers (pesky ones!) who need a solution where they track customers without cookies. So I need a simple implementation that isn't to burdensome. At least not so burdensome that they stop sending us money. Since they have a bunch of different setups I need something fairly independant.

I'm currently working on a way of using mod_rewrite and PHP. The idea is to use .htaccess with the %{HTTP_REFERER} to capture the existing session ID assuming it's been assigned. If not then I need to generate the ID. This assumes I can use a regex on %{HTTP_REFERER} which I haven't even tried yet.

To generate the ID I think I have to use an external script via RewriteMap. I may even have to use the same script get the ID from %{HTTP_REFERER}.

Ahhh, OK, I think I see. Yes, the Referrer: header would work (assuming the browser sends that; it's possible that not all browsers do, but I doubt it).

You would need a way to generate the initial session ID though; perhaps just creating a script that'll generate a large random number, stick it in the database, and return it? That ought to work fairly well.