subject:"Antwort\: Re\: Appending Sessionid to all the urls"

Re: Antwort: Re: Appending Sessionid to all the urls

2001-05-27 Thread Stefan Weiss


From: [EMAIL PROTECTED]

 any Proxy operator can do this with any non-SSL connection. One can spy session
 ids in the URL, in the GET-parameters and the POST-parameters, also cookies and
 basic auth passwords, also passwords in html forms - and every bit of data
 that's send back.
 
 Oh, and firewall operators and router operators and all people on the same
 physical network can do the same...


You're right, you can never be secure without encryption. But will browsers
reliably strip the HTTP_REFERER if you leave a secure page? If they don't,
you would still have to pass all external links through one of your own
scripts. I see this becoming a problem in a larger, heterogenous 
environment, because someone is certainly going to forget this protective
curtain and just write a plain HTML link. And any attacker would of course
try to provoke this.


cheers,
stefan

Antwort: Re: Appending Sessionid to all the urls

2001-05-23 Thread Michael . Jacob


Hi kheeteck,

as said before - a session id at the end of the URL (as path info, GET parameter
or POST parameter) will not stay there if you don't modify all displayed html
pages. As I understand, you can't modify these pages because thay are on another
server. That means you also can't use a leading session id. Bad. There is only
one way left to store information on the browser's side: Cookies.

cu
Michael


Datum: 22.05.2001 19:10
An:Michael Jacob/EXT/GAD@GAD
Kopie: [EMAIL PROTECTED]

Betreff:   Re: Appending Sessionid to all the urls
Nachrichtentext:


Hi Michael :

I am really glad that you reply to my mail.. as i have been trying to solve
this problem for quite some time
Hmm , however i think u slightly misunderstand what i mean..

What i mean is...
For eg,

I have a html page which contains a form page let say allowing the user to
enter certain values... like colorNo etc.
This values would be posted to my server and the data would be stored in a
database(mysql) together with a unqiue
session id which would be generated. ( for this part i have finished and is
working).

Now comes the problematic part, after the values are submitted. I  want this
value to be avaiable to me each time
as user enter a new url from the browser( take note this url is not the
content residing in my server.. it is any remote site url).
The only way is to append a session id at the url.

So for instance.. after the user finished entering the form page. He can now
access any urls(remote site). How do i tell the server that this is the user
who has entered the form earlier based on the session id generated. And for
all the subsquent links... how can i append the session id.

I would greatly appreciated if you could help me out..
Really thanks to you

Regards
kheeteck






- Original Message -
From: [EMAIL PROTECTED]
To: ktgoh [EMAIL PROTECTED]
Cc: mod_perl [EMAIL PROTECTED]
Sent: Wednesday, May 23, 2001 12:27 AM
Subject: Re: Appending Sessionid to all the urls


 Hi ktgoh,

 you don't tell the browser about the session id. Why?

 To use a session id that's appended to the URL is hard work - it has to be
 maintaned in every module and html file. So you must append the session id
to
 every URL in every page and every piece of code that produces html. Ther
is no
 way to automatically keep the id sticky.

 A better way for session ids is to put them in front of the URI:
 http://www.nus.edu.sg/dfd3453/some/path/and/file.html

 This is (part of) my uri-translation-handler:

 sub handler ($r: Apache) {
   # only do initial request - not an internal sub req
   return DECLINED unless $r-is_initial_req;
   return DECLINED unless $r-uri =~ m/$DIR_MATCH/o;

   try my $check_uri = check_uri($r);
   return DECLINED if $check_uri; # URI contains session id and session
object
 could be read from the DB

   # else redirect to mangled URI
   try my $session_id = make_session_id($r);
   redirect($r, $session_id);
   return REDIRECT;
   # end of main handler
 }

 sub check_uri ($r: Apache) {
   my $uri = $r-uri || undef;
   my (undef, $sessionid, $rest) = split '/', $uri, 3;
   if ($sessionid  $sessionid =~ m/^[0-9a-h]{32,32}$/o) {
 $r-uri(/$rest);
 try void lock_session_id($r, $sessionid);
 return 1;
   }
   return undef;
 }

 sub redirect ($r: Apache, $session_id: string min 32 max 32) {
   my $args = $r-args ? '?' . $r-args : '';
   my $uri = $r-parsed_uri;
   $redirect = $uri-scheme . '://' . $uri-$hostinfo . '/'. $session_id .
'/' .
 $uri-path . $args;
   $r-header_out(Location = $redirect);
 }

 These session ids are sticky as long as you only use relative paths in
your
 html. Note: You may want to put your images in a directory that's not
covered by
 this handler and use absolute paths...


 Datum: 22.05.2001 12:03
 An:mod_perl [EMAIL PROTECTED]


 Betreff:   Appending Sessionid to all the urls
 Nachrichtentext:


 Hi all :

 I wanted to write a mod URL rewrite program.

 I wanted to append session ID to the tail of all the urls of a website.

 For instance when i access url http://www.nus.edu.sg?sessionid=dfd3453
 i want all the urls to be appended in all the urls of that website..

 My qns is everytime i found that the session id is lost... through the
many
 requests and responses.
 And the new url does not reflect on the client browser..

 Any one got any idea.. what wrong with my program??

 Thanks for your help...

 sub handler {

  my $r = shift;
  my $url = $r-uri;
  my $sessID;

  if($url =~ m/sessionid/){
   $sessID= getSessionID($url);
  }

  my $append =?sessionid=$sessID
  my $newURL = $r-uri($url$append);

  return DECLINED;

 }

 sub getSessionID{
  my  $url = $_[0];
  my  $position = rindex($url,=)+1;
  my  $sessID = substr($url,$position,8);
  return $sessID;
  }


 Regards
 kheeteck

Re: Antwort: Re: Appending Sessionid to all the urls

Antwort: Re: Appending Sessionid to all the urls

2 matches

Site Navigation

Mail list logo

Footer information