Re: [phplib] mod_rewrite for sessionids From: messju mohr (messju <email protected>)
Date: 08/26/00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

On Fri, 25 Aug 2000, Jeroen Laarhoven wrote:
> What happens if a search-engine spider comes to your site?
>
> - your session_nr will be in the index?
> - everybody coming from that index will use the same session?

that's a good point. And I really have no solution for that Problem yet.
Disallowing caching and Binding a session to a distinct IP could work in most
cases. For sessions that need authentation the problem mentionend above won't
occur. Though you should tell your users, that if they bookmark these pages
they are boorkmarking access to a autheticated(!) session. This also occurs
when bookmarking sessions that propagate their ID via get.

> Or am I missing something?
>
> Greetings
> Jeroen.

Unfortunately not. :)

regards
messju mohr
 
> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> Jeroen Laarhoven, Zwolle, Netherlands
> email: jeroen <email protected>
> www: http://jeroen.polder.net
> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
>
> ----- Original Message -----
> From: "messju mohr" <messju <email protected>>
> To: <phplib <email protected>>
> Sent: Thursday, August 24, 2000 7:04 PM
> Subject: [phplib] mod_rewrite for sessionids
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello,
> >
> > I implemented propagation of session-IDs in the URL of the requested page.
> > By this you kann simply address your pages via relative links and always
> keep
> > your session-ID from one page to another. You don't need cookies or
> > $sess->purl() all the time.
> >
> > It was inspired by an example in the book "Web Application development
> with PHP
> > 4.0" by Tobias Ratschiller in the Chapter "Web Application Concepts - HTTP
> and
> > Sessions" and needs mod_rewrite.
> >
> > A patch to session.inc (I used php-lib-stable/php/session.inc from the
> > CVS-Repository) is included in this mail, since it is really small.
> >
> > I introduced a third $mode named "rewrite" in the Session class.
> > You can set a variable "rewrite_base" which specifies the PATH before
> > the "[session_id]/" part in the URL. rewrite_base defaults to "/" if not
> set.
> >
> > You have to put something like:
> >
> > RewriteEngine on
> > RewriteBase /
> > RewriteRule ^[0-9a-z]{32}/(.+) /$1
> >
> > or
> >
> > RewriteEngine on
> > RewriteBase /
> > RewriteRule ^(your_rewrite_base)[0-9a-z]{32}/(.+) $1$2
> >
> > in your httpd.conf in addition to your common php-lib-setup.
> >
> > A demonstration can be found at:
> > http://messju.internet-factory.de:42000/rewrite/session.php
> >
> > If you have any suggestions or comments feel free to email me.
> >
> > I hope I can contribute with that to the development of php-lib. php-lib
> is
> > great software that makes web application development being fun. All you
> > guys do a great job.
> >
> > And of course I really appreciate it, if something like the "rewrite"-mode
> > would go in the official php-lib distributions. :)
> >
> > regards
> > messju mohr

- --
  Matthias Mohr <m.mohr <email protected>> (Software-Entwicklung)
  Internet Factory AG, Niederlassung Industriestr. 11, 26121 Oldenburg
  Tel: (+49) (0)441 - 77 92 10 Fax: (+49) (0)441 - 77 92 177
  http://www.internet-factory.de

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: pgpenvelope 2.8.7 - http://pgpenvelope.sourceforge.net/

iEYEARECAAYFAjmnrd4ACgkQubKPpFA4n0WZlgCgld0yOstVzJAH0RJieeMmuMlw
vYgAoJoZ80nkcTw4z+zAkTh+hl2XsfLl
=/SZm
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>