"Jamie O'Shaughnessy" <[EMAIL PROTECTED]> writes:
>
> On 11 Oct 99 15:05:23 +0100, you wrote:
>
> >I was actually looking at a PerlTransHandler that I'd drop into
> >my site-wide files that would do something like the following:
> >
> > my $uri = $r->uri;
> > if ($uri =~ s#/@@(\d+)@@/#/#) {
> > $session = $1;
> > $r->uri($uri);
> > $r->header(Session => $session);
> > }
> >
> >This way, a session ID could be generated of the form
> >
> > /some/path/@@123456@@/foo/bar.html
> >
>
> But isn't the problem then that if the user cuts & pastes the URL for
> someone else to use (e.g. mails it to someone), they're also then passing
> on their authentication?
>
> Doesn't this also mean you can only have links from sessioned pages ->
> non-sessioned pages or sessioned pages -> sessioned pages and not
> non-sessioned pages -> sessioned pages. I'd classify a non-sessioned page
> as a static HTML page.
>
> Have I missed something here?
Perhaps an MD2 or MD5 hash that has an IP and the username or some
other bumf as semi-authentication might do the trick?
We've done something similar for embedding URLs into newsletter type
emails so when people click through they come to something
personalised for them.
Still, that's only for us pushing to them, anything involving money
requires a full session login on the secure server.
--
David Hodgkinson, Technical Director, Sift PLC http://www.sift.co.uk
Editor, "The Highway Star" http://www.deep-purple.com
Dave endorses Yanagisawa saxes, Apache, Perl, Linux, MySQL, emacs, gnus
