Re: ASP Cookieless Sessions (WAS Re: Apache::ASP)

Tue, 7 Dec 1999 16:15:08 -0800 



> Does this really work ?  I tried this locally, and it didn't.
> The HTTP_REFERER was still sent as from the original page
> even though there was an intervening redirect script.
> This referer had the original session-id in it.
> 
> So a page like: page.asp?session-id=aasdfdasfdsafadsfadsf
> 
> which pointed to a redirect script for http://cnn.com like:
> 
> redirect.asp?url=http://cnn.com
> 
> At cnn.com, the HTTP_REFERER => page.asp?session-id=aasdfdasfdsafadsfadsf
> not redirect.asp?url=http://cnn.com as I would have hoped.
> 
> I don't need these non-cookie secure sessions myself, but if 
> I am going to give ASP developers a session option, it should be 
> possible to make secure.

Here is how I solved the problem with redirecting offsite when I am using
the URI for session tracking. Since I have never used ASP or Apache::ASP,
I am not sure if you could implement this somehow.

I fixup all offsite URL's (in my Racing_Links Section) so that the href
looks like this:

<a href='/Redirect_External?redir_url=http://url.toget.com/blahblahblah'
target='new'>

The Redirect_External handler looks like this:
===============
package Apache_Car::Redirect_External;

use strict;
use Apache::Constants qw|OK|;

sub handler {
        my $r = shift;
        
        my $params = $r->pnotes('Params_REF');
        my $redir_url = $params->{'redir_url'}; 
        
        $r->content_type('text/html');
        $r->send_http_header;
        
        print qq|<html><head><meta http-equiv=refresh
content='0;URL=$redir_url'></head><body></body></html>|;
                
        return OK;
}

1;
__END__

I just use a meta refresh using 0 seconds and the requested uri. The key
is to make sure that you keep the user local on your site by having them
request a uri that does not have the session-key in the uri. I tried this
with both netscape and IE4,5 and a real benefit was the the refreshed page
actually showed no referer in the apache logs for the requested site.

I guess you could implement this by changing the external link uri's to
point local, then dish out a page with the 0 second refresh.

my $.02

Bill


> -- Joshua
> _________________________________________________________________
> Joshua Chamas                         Chamas Enterprises Inc.
> NodeWorks >> free web link monitoring Huntington Beach, CA  USA 
> http://www.nodeworks.com                1-714-625-4051
> 


===========================================
Bill Desjardins    http://www.carracing.com
[EMAIL PROTECTED]        Tel: 305.205.8644
FREE Homepages for Racers and Race Tracks!!

Reply via email to