Harald Ponce de Leon, on 23 February 2012 - 08:21 AM, said:
If the customer has cookies disabled, is it safe to assume they would have the knowledge to set an exception to the shop if they really wanted to purchase something?
On the other hand, a customer that does not know the technical issues and copies a URL containing their session ID to share with a friend (rarely for first time visits, probable switching between http and shared-https states), will be disgruntled when they find out the friend is logged in to their session and loses trust in the shop.
I think there are probably people that turn cookies off because they are told that is safer to do so, not knowing why, and would not change them, even if they knew how. Whether that is one person out of 100 or out of 10,000 is anyones guess.
Yes, copying session ID's is a problem as can be seen by the many posts about it on this forum. In most cases, it is just a setup problem in the configure file, session settings and tmp directory existence and/or path to it. I think all of those could be fixed by including a quick little script during, or after, the installation that checks them. Most shop owners don't know enough to check the obvious problems so doing that for them would greatly reduce the chance of a SID being copied.