On Tue, 9 May 2000, Tobias Hoellrich wrote:
> Tom,
>
> At 02:02 PM 5/9/00 -0700, Tom Mornini wrote:
> >That is the tricky part. :-)
> >
> >Here's the sneaky way to handle it: Put the Session ID at the beginning of
> >the URI. If a request comes in with a Session ID, then strip it out of
> >$r->urii. If a request comes in without one, redirect them to the same URI
> >with a session ID in place.
> >
> >In our case, this is handled by a trans handler that stores state in
> >$r->pnotes, and a fixup handler that reads $r->pnotes and
> >$r->set_handlers() in the redirect handler into the response phase.
> >
> >The cool thing about this is that relative links need not be rewritten at
> >all, the browser handles it!
> >
>
> and what happens when somebody bookmarks a URL with the session-id
> prepended and comes back a week later with an invalid session-id in the URL?
Why is the session ID invalid just because they left for a week? Ask them
to authenticate again and take them right back to whatever they were
doing.
On some sites bookmarking the URL with the session ID embedded is the
optimal behavior.
-jwb
