Here we insert a session id on all requests, with Apache::Session whether the request is for a static or dynamic page and have a TransHandler to strip the session id and insert it into %ENV which seems to work for us. With this approach we don't necessarily need cookies, but verifying if a user is who the session was originally assigned to without a cookie is really impossible. At least to me with the limited amount of brain time I have put into it. Using some algorithm consisting of the end-users IP and some random number is OK until users behind the same NAT device try to steal each others session. Using the cookie is a way to verify that a user is the owner of the session id.
I hope this doesn't sound like the ramblings of a mad man, but in general I think SESSION cookies are ok and you should feel ok using them. I hope this helps a little. --Joe Breeden --------------------------------------- If it compiles - Ship It! Aranea Texo > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 15, 2001 4:25 PM > To: mod_perl List > Subject: Re: Cookie authentication > > > On 15 Nov 2001, at 12:16, Andrew Ho wrote: > > > CD>It seems you can't do anything online without having > cookies turned on > > CD>(yahoo, bankone, huntington, ebay, etrade ) and I think > internet users > > CD>have accepted this. > > > Methinks there is a need to write a transparent "store > cookies on URL" > > module. I seem to recall at least one major Apache module > having an option > > to use URL-based authentication instead of cookie-based... > but I can't > > seem to find that from a cursory perusal of CPAN. > > http://perl.apache.org/guide/modules.html#Apache_Session_Maint > ain_sessi > > I used Apache::Session and HTML::Template to embed the > session_id in the url in a recent job site.I planned this > before I built > the site (all templates built according to the plan :). No problems > there. There were no static pages. > > I find cookies are used when one has a site static/dynamic pages. > How do you keep a user if they click to a static page? I don't > know. > > But one should always check if a user has cookies turned on. I > recall an internal site I did for FedEx a few years back and I used > cookies for it as it was before my mod_perl use. Well it turned out > that the vice-president had cookies turned off. He was not a > customer we wanted to ignore:) > > Peter > "A government that robs Peter to pay Paul can always depend upon the > support of Paul." -- George Bernard Shaw >