So as I see it there are essentially 2 *mostly* reliable ways, cookies
and url-rewriting.  Both have drawbacks and neither are 100%.  There
really isn't a way to cross-reference anything else (IP or login) becuase
there are valid reasons for a user to come from multiple ip addresses
during a session (albeit rare), and sessions may be needed without
requiring a user to login.
  It also doesn't make sense to try to rely on both cookies and
url-rewriting, that would just get sloppy and waste time.  The only thing
to do is to pick one or the other and deal with the drawbacks associated
with that...

URLS:
- redirecting to a different site sends the session_id in the
HTTP_REFERER in some browsers, which ruins it for the rest of the world ;)
- requires site-wide url-rewriting or site-wide relative links (including
things like "../../index.html" which seems ugly IMO)
- users bookmarking with the session_id which may be expired on the server
side thus negating the bookmarked session.
- messes up logging unless a custom logging handler, or url-rewriting
before logging is implemented

Cookies:
- Turned off by user
- May be blocked all together by some proxies.

I'm sure I missed some points, but it's all I can think of at this
time.

Jay Jacobs
LachNet Inc.

Reply via email to