Hy,
why do you use cookie's ??? A lot of people hate them.
I think a much better Idea is to put your sessionID in the PathInfo
of every requested URI.
So after the login your CGI generates a SessionID. Lets say your
CGI has the URI http://domain/mycgi.
After the login the cgi's output is just a refresh HTML page :
<html>
<head>
<meta http-equiv="refresh" content="0;URL=mycgi/sessionid/start.html">
</head>
</html>
than if you have a "secure" html tree which the loggedin client will be
able to use, its very simple :
alle hyperlinks within that tree must be referenced RELATIVE !!!
So the browser will always put "mycgi/sessioniD" on "top" of every hyperlink
!!!!!
To make it secure : Your script needs to have its own "Documentroot"
which is only readable by your cgi......
(=> so your cgi has to read the pathinfo to get the sessionid and the requested
action/File. The file you have to read with your cgi. ...)
Everytime the client ist "using" that sessionID you can "touch" it after
checking it.
Than you just need a garbagecollector which will destroy every sessionID after
5 (10,20...) Minutes wihout touch.
I think that solution is much better than cookies : it works on EVERY client !!!
(its of course possible to let the user sign out .. logout.. that should destroy
the session as well !!)
with kind regard
Manfred Dehnkamp
