> Hi,
>
> After reading an interesting thread here about session management I
> would like to detect if the user's browser refuses cookies and switch
> Apache::Session from cookie mode to URL mangling mode.
>
> Has someone already tackled this and would be so kind to share the
> solution?
>
We are playing around with this at the moment in a mason based site: what we
do is..
If a request comes in with no session id (either in cookie or path): check
list of "cookies sent to" browsers (keyed by client ipaddress). If we haven't
seen this host recently (we currently remember the last 50 cookie attempts)
then attempt to issue a cookie, otherwise insert a session id at head of path.
If we apparently have a session id in the request, validate the requestor
session (we don't want to force users to login for the free part of the site:
we would rather tease them in & get them to register sometime later) by :
1. checking session is still active
2. checking {remoteip address,User-Agent} for user with that stored in the
session database in case a path based session has been passed between users.
If these checks fail then initiate a new session.
We have a further wrinkle on this in that we attempt to detect visits from
search engine trawlers by looking at the User-Agent field & never use path
based sessionids for them (they mostly don't return cookies) -- I didn't like
the idea of publishing sessionids on search engine listings. Because of their
usage pattern & with a bit of care in the use of session data we have
constructed a site which still works when entered at any page with a virgin
user session.
For 'sensitive' areas of the site the user must validate themselves against
the session they purport to be using.
All in all this is very tedious!
regards,
David Lamkin
[EMAIL PROTECTED]
