So as I see it there are essentially 2 *mostly* reliable ways, cookies
and url-rewriting. Both have drawbacks and neither are 100%. There
really isn't a way to cross-reference anything else (IP or login) becuase
there are valid reasons for a user to come from multiple ip addresses
during a session (albeit rare), and sessions may be needed without
requiring a user to login.
It also doesn't make sense to try to rely on both cookies and
url-rewriting, that would just get sloppy and waste time. The only thing
to do is to pick one or the other and deal with the drawbacks associated
with that...
URLS:
- redirecting to a different site sends the session_id in the
HTTP_REFERER in some browsers, which ruins it for the rest of the world ;)
- requires site-wide url-rewriting or site-wide relative links (including
things like "../../index.html" which seems ugly IMO)
- users bookmarking with the session_id which may be expired on the server
side thus negating the bookmarked session.
- messes up logging unless a custom logging handler, or url-rewriting
before logging is implemented
Cookies:
- Turned off by user
- May be blocked all together by some proxies.
I'm sure I missed some points, but it's all I can think of at this
time.
Jay Jacobs
LachNet Inc.