[nycphp-talk] to rewrite or not to rewrite URLs...
Analysis & Solutions
danielc at analysisandsolutions.com
Tue Aug 5 14:02:34 EDT 2003
Hi Folks:
On Fri, Jul 18, 2003 at 02:53:35PM -0400, David Mintz wrote:
>
> Do you guys use URL rewriting to ensure that the session id is propagated
> from page to page even if the user refuses your cookie?
Yes. It guarantees access to your resources. I don't even bother with
cookies, because managing them differs slightly from browser to browser.
Even if users accept one cookie from you, there's no guarantee they'll
continue to do so, thus, it's difficult to manage sessions reliably with
them.
> I've read somewhere that it can cause 'confusion' or 'problems' if the
> user bookmarks a URL with a session id in the query string, and tries to
> access the page after the session is over, but those readings did not say
> whether you should really worry about it or what the worst case scenario
> is.
This can happen with cookie based sessions too if the cookie hasn't
expired or been deleted by the next time the user arrives.
It's not a problem if you structure your system effectively. The way to
handle situations like these is to have your session system keep track of
the last time the session was used. If it's longer than your timeout,
kill the old session and start a new one... and if the current page
requires authorization, don't show them the stuff.
I just whipped up a new session manager which takes advantage of PHP's
transparent session id propagation, plus some other handy tricks. It's
available on my website:
http://www.analysisandsolutions.com/software/session-simple/
I'd love to get some peer review on the program, so please check it out.
Enjoy,
--Dan
--
FREE scripts that make web and database programming easier
http://www.analysisandsolutions.com/software/
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list