httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jurgen <apa...@squarehosting.com>
Subject Re: [users@httpd] Identifying a session
Date Sat, 28 Dec 2002 01:07:41 GMT
Hi,

IP based would be a great solution, because you only needed to map the IP to the session id.
You could even use the IP as sessionid. But as Chris already said, it is easily possible that
on IP is used by several people. This is especially a problem if you deal with sensitive data.
So all that's left is Cookies and URLs. With cookies you depend on the browsers and with URLs
you will have a lot of work.
IF you would like it only apache based you could use mod-rewrite and use some Perl with the
cookie value, but for that the cookie has to be set already and it really doesn't make much
sense that way.

Jurgen


On Fri, 27 Dec 2002 23:49:15 -0000
"Chris Taylor" <chris@x-bb.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hmmm, an interesting one. AFAIK this isn't possible with stock
> Apache. PHP and the like support session-based functions, but of
> course the SID is only accessible to PHP scripts. I think PHP's
> session functions allow you to do it without cookies, but with the ID
> pasted onto URLs (which can get annoying to code).
> 
> JSP uses sessions internally I believe, but I've only just started
> messing around with it so I'm not certain how much you can do with
> this SID. I doubt it's accessible to other CGI engines, for one
> thing.
> 
> If you're thinking along the lines of htaccess login-type stuff,
> you're out of luck, it doesn't involve a session of any kind on the
> server, it's all controlled at the browser end, no SID is used or
> needed.
> 
> I think *maybe* you could do something like this using a text file or
> a database to store SIDs and manage the whole session thing yourself,
> maybe using Perl or another scripting language, but I can imagine it
> being quite a lot of work (considering PHP's session functions are
> already so simple to use) to implement.
> 
> mod_usertrack lets you follow users, but I seem to remember cookies
> are essential. In fact, cookies are the best way to do this anyway,
> given that you need to be able to track multiple users from the same
> IP (like at a university). This would be pretty hard to implement
> purely server-side IMO :)
> 
> HTH,
> 
> Chris Taylor - chris@x-bb.org - The guy with the PS2 WebServer -
> http://www.x-bb.org/chris.asc
> 
> - ----- Original Message ----- 
> From: "Lukas Ruf" <ruf@rawip.org>
> To: <users@httpd.apache.org>
> Sent: Friday, December 27, 2002 10:02 PM
> Subject: [users@httpd] Identifying a session
> 
> 
> > Dear all,
> > 
> > is there an easy way to identify a session of a user?
> > 
> > Explaining my problem:
> > - I would like to login into some web page.
> > - After a succesful login, I have a valid session id -- that's what
> > I 
> >   would like to have.
> > - This session id should be retrievable by any SSI or CGI running
> > on 
> >   this web-page.
> > - Further, this session id should be invalidateable, i.e. the the
> >   SSI/CGI scripts should be able to invalidate this id.
> > 
> > Is there any way to handle such a problem?
> > 
> > Thanks in advance.
> > Lukas
> > PS: If possible, I would like to avoid making use of cookies, i.e.
> > the 
> >     whole procedure should be server-based only.
> > -- 
> > Lukas Ruf
> > http://www.lpr.ch
> > Wanna know anything about raw ip? 
> > Join rawip@rawip.org on http://www.rawip.org
> > 
> > --------------------------------------------------------------------
> > - The official User-To-User support forum of the Apache HTTP Server
> > Project. See <URL:http://httpd.apache.org/userslist.html> for more
> > info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> 
> iQA/AwUBPgzm+Cqf8lmE2RZkEQK9DwCfRqc3uDJfqI+//8FefohIlmYPducAoKOf
> //yYlgRopyVGotsUTdJXfXJc
> =NkOQ
> -----END PGP SIGNATURE-----
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message