Can we maintain cookie less session in outsystems?

First and formost... Never use Cookieless sessions, since session can easily be manipulated in the query strings. 



Now, Understanding the outsystems session model explains

A session in the OutSystems Platform is created by the server when you first access the application using your browser. All requests to application pages in the OutSystems Platform have a session - it is not possible to implement session-less application pages. The session then ends after either the user logs out or when it expires (meaning, after the session is not used for a given period of time).

From the browser side, the session is identified with a specific cookie. On the .NET stack, the session cookie is named ASP.NET_SessionId; in the Java stack it is named OSSESSIONID.

Swatantra Kumar wrote:

First and formost... Never use Cookieless sessions, since session can easily be manipulated in the query strings. 



Now, Understanding the outsystems session model explains

A session in the OutSystems Platform is created by the server when you first access the application using your browser. All requests to application pages in the OutSystems Platform have a session - it is not possible to implement session-less application pages. The session then ends after either the user logs out or when it expires (meaning, after the session is not used for a given period of time).

From the browser side, the session is identified with a specific cookie. On the .NET stack, the session cookie is named ASP.NET_SessionId; in the Java stack it is named OSSESSIONID.

Hi Kumar,

If i don't want to store cookies in my browser as security point of view then i have to opt for cookieless session. 

Also, please highlight, Cookie-less sessions can be achieved by setting Use Cookie property to No for every module?

Yes, i understand, never disclose important information in url, but can we encrypt the session id disclosing at url level when we go for cookie-less session?

Also, please let me know if we block the third-party cookies, still our application works? As i have tried, it gives me an error. So from this can i conclude that, no application works without maintaining session in the form of cookies at client end.

Thanks in advance


Solution

If i don't want to store cookies in my browser as security point of view then i have to opt for cookieless session. 

> Yes, knowing using seesions in browser is more vulnerable, error prone and non-SEO friendly.


Also, please highlight, Cookie-less sessions can be achieved by setting Use Cookie property to No for every module?

> That's correct.


Yes, i understand, never disclose important information in url, but can we encrypt the session id disclosing at url level when we go for cookie-less session?

> If someone gets the URL with the (encrypted) session, the original user and the other one both would be able to access the page using the same session.

> Even if you try to link with the originating IP address, Device's IP addresses can change on-the-go or with a wireless hence It's easily broken when clicking 'an old URL' with the old session.


Also, please let me know if we block the third-party cookies, still our application works? As i have tried, it gives me an error. So from this can i conclude that, no application works without maintaining session in the form of cookies at client end.

> For applications created with OutSystems that require you to login with a username and password some or all functionalities may not be available if cookies are disabled. Please read Cookie Usage in Web Applications.


Regards,

Swatantra

Solution

Swatantra Kumar wrote:

If i don't want to store cookies in my browser as security point of view then i have to opt for cookieless session. 

> Yes, knowing using seesions in browser is more vulnerable, error prone and non-SEO friendly.


Also, please highlight, Cookie-less sessions can be achieved by setting Use Cookie property to No for every module?

> That's correct.


Yes, i understand, never disclose important information in url, but can we encrypt the session id disclosing at url level when we go for cookie-less session?

> If someone gets the URL with the (encrypted) session, the original user and the other one both would be able to access the page using the same session.

> Even if you try to link with the originating IP address, Device's IP addresses can change on-the-go or with a wireless hence It's easily broken when clicking 'an old URL' with the old session.


Also, please let me know if we block the third-party cookies, still our application works? As i have tried, it gives me an error. So from this can i conclude that, no application works without maintaining session in the form of cookies at client end.

> For applications created with OutSystems that require you to login with a username and password some or all functionalities may not be available if cookies are disabled. Please read Cookie Usage in Web Applications.


Regards,

Swatantra

Thanks kumar for highlighting the important points