Hi, Throughout my web pages I provide a link for the user to login, which
goes to a username/password check which then forwards the user back to the
original page where he clicked "login". The login link is implemented with:
<a href="/user/login?return_url=<%=$Server->URLEncode($ENV{REQUEST_URI})%>">
login
</a>
And of course /user/login (an ASP script) will eventually
$Response->Redirect() the client to the original URL. The only problem is
that if a client's browser has cookies disabled, the ?session-id=blah
doesn't get encoded into their URL (thanks to SessionQueryParse) when they
first type it the URL. So if they type "www.foo" and click login, it just
takes them back to "www.foo" without preserving the session-id, and it looks
like they haven't logged in at all (and indeed they are running under a
different session-id). If they load "www.foo" and click on a link which I
typed in as "www.foo" they stay in the same session because the link becomes
"www.foo?session=blah". Then logging in works fine.
So, is there a way I can make the Apache::ASP handler (or some other
component of Apache) redirect cookieless clients to scripts whose URIs
contain a session id?
The other related problem is that when a client that allows cookies visits a
page for the first time, all their link URLs have session-ids parsed into
them unnecessarily.
This is the method that I have in mind that I think would resolve these
issues. A hit to a web page with session tracking does this:
Hit to "www.foo/bar". If client delivers session-id cookie, deliver plain
page for cookied clients. If query string contains session-id, deliver a
page with session-ids parsed into links for cookieless clients. If client
delivers no cookie and session-id is not in URL, set cookie and redirect to
self-URL with session-id parsed in.
Even this isn't perfect though, since the URI will sometimes unnecessarily
contain the session-id value for cookied browsers. This will still
contaminate the return_url for my login procedure, but at least the link and
image URLs from the first page won't be uglified.
The perfect solution would be to redirect the client to the self-URL without
the session-id in their query string when *both* a cookie is sent and a
session-id is in the query string. Combined with the method above, this
would result in a cookied browser doing:
1. user types "www.foo", server receives no cookie
2. server sends cookie and forwards to "www.foo?session-id=blah"
3. server receives cookie and forwards to "www.foo"
4. server delivers plain "www.foo"
And a cookieless browser:
1. user types "www.foo", server receives no cookie
2. server sends cookie and forwards to "www.foo?session-id=blah"
3. server receives no cookie and delivers request for "www.foo" with
session-ids parsed into all links
Basically, the stable cases (sending cookies OR sending ids in query-string)
are fine, it's just the cases of neither or both being sent that need to be
fixed.
So... can I make these sorts of things happen? Should I care? Is there a
way I can find out whether the user's browser is cookied for session-id from
within the ASP script?
Thanks,
shimon.
p.s. Apache::ASP is great! I love it! What a timesaver and so easy to work
with!
