Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 95866 invoked by uid 500); 28 Dec 2002 00:59:04 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 95798 invoked from network); 28 Dec 2002 00:59:03 -0000 Received: from unknown (HELO squarehosting.com) (12.158.191.98) by daedalus.apache.org with SMTP; 28 Dec 2002 00:59:03 -0000 Received: from mars.uni (squarehosting.com [12.158.191.98]) by squarehosting.com (8.11.6/8.11.6) with SMTP id gBS0wBv04673 for ; Fri, 27 Dec 2002 19:58:12 -0500 Date: Fri, 27 Dec 2002 20:07:41 -0500 From: Jurgen To: users@httpd.apache.org Message-Id: <20021227200741.59965930.apache@squarehosting.com> In-Reply-To: <004e01c2ae02$b000b840$0900a8c0@thinkpad> References: <20021227220217.GB22507@maremma.ch> <004e01c2ae02$b000b840$0900a8c0@thinkpad> X-Mailer: Sylpheed version 0.7.0 (GTK+ 1.2.10; i586-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Identifying a session Hi, IP based would be a great solution, because you only needed to map the IP to the session id. You could even use the IP as sessionid. But as Chris already said, it is easily possible that on IP is used by several people. This is especially a problem if you deal with sensitive data. So all that's left is Cookies and URLs. With cookies you depend on the browsers and with URLs you will have a lot of work. IF you would like it only apache based you could use mod-rewrite and use some Perl with the cookie value, but for that the cookie has to be set already and it really doesn't make much sense that way. Jurgen On Fri, 27 Dec 2002 23:49:15 -0000 "Chris Taylor" wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hmmm, an interesting one. AFAIK this isn't possible with stock > Apache. PHP and the like support session-based functions, but of > course the SID is only accessible to PHP scripts. I think PHP's > session functions allow you to do it without cookies, but with the ID > pasted onto URLs (which can get annoying to code). > > JSP uses sessions internally I believe, but I've only just started > messing around with it so I'm not certain how much you can do with > this SID. I doubt it's accessible to other CGI engines, for one > thing. > > If you're thinking along the lines of htaccess login-type stuff, > you're out of luck, it doesn't involve a session of any kind on the > server, it's all controlled at the browser end, no SID is used or > needed. > > I think *maybe* you could do something like this using a text file or > a database to store SIDs and manage the whole session thing yourself, > maybe using Perl or another scripting language, but I can imagine it > being quite a lot of work (considering PHP's session functions are > already so simple to use) to implement. > > mod_usertrack lets you follow users, but I seem to remember cookies > are essential. In fact, cookies are the best way to do this anyway, > given that you need to be able to track multiple users from the same > IP (like at a university). This would be pretty hard to implement > purely server-side IMO :) > > HTH, > > Chris Taylor - chris@x-bb.org - The guy with the PS2 WebServer - > http://www.x-bb.org/chris.asc > > - ----- Original Message ----- > From: "Lukas Ruf" > To: > Sent: Friday, December 27, 2002 10:02 PM > Subject: [users@httpd] Identifying a session > > > > Dear all, > > > > is there an easy way to identify a session of a user? > > > > Explaining my problem: > > - I would like to login into some web page. > > - After a succesful login, I have a valid session id -- that's what > > I > > would like to have. > > - This session id should be retrievable by any SSI or CGI running > > on > > this web-page. > > - Further, this session id should be invalidateable, i.e. the the > > SSI/CGI scripts should be able to invalidate this id. > > > > Is there any way to handle such a problem? > > > > Thanks in advance. > > Lukas > > PS: If possible, I would like to avoid making use of cookies, i.e. > > the > > whole procedure should be server-based only. > > -- > > Lukas Ruf > > http://www.lpr.ch > > Wanna know anything about raw ip? > > Join rawip@rawip.org on http://www.rawip.org > > > > -------------------------------------------------------------------- > > - The official User-To-User support forum of the Apache HTTP Server > > Project. See for more > > info. > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > " from the digest: users-digest-unsubscribe@httpd.apache.org > > For additional commands, e-mail: users-help@httpd.apache.org > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use > > iQA/AwUBPgzm+Cqf8lmE2RZkEQK9DwCfRqc3uDJfqI+//8FefohIlmYPducAoKOf > //yYlgRopyVGotsUTdJXfXJc > =NkOQ > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org