Re: Antwort: Re: Appending Sessionid to all the urls
From: [EMAIL PROTECTED] any Proxy operator can do this with any non-SSL connection. One can spy session ids in the URL, in the GET-parameters and the POST-parameters, also cookies and basic auth passwords, also passwords in html forms - and every bit of data that's send back. Oh, and firewall operators and router operators and all people on the same physical network can do the same... You're right, you can never be secure without encryption. But will browsers reliably strip the HTTP_REFERER if you leave a secure page? If they don't, you would still have to pass all external links through one of your own scripts. I see this becoming a problem in a larger, heterogenous environment, because someone is certainly going to forget this protective curtain and just write a plain HTML link. And any attacker would of course try to provoke this. cheers, stefan
Re: Appending Sessionid to all the urls
Stuart Frew [EMAIL PROTECTED] writes: The user is using the system to process client A. The cookie contains stateful information including the client ID. They then open an new browser window, and lookup client B, recieving a new session ID with new state information, including the client ID. The user then submits the form to the server. The server then recives the one and only cookie with a session ID in it. But is it for Client A or Client B? 50-50 chance of updating the right row. Not good. Session information should be used for the most minimal set of data possible. Often times sessions get used where pnotes would be better, or where hidden form variables would be better. The situation you describe is unlikely and avoidable if you set out with the idea in mind to not put anything in a session that absolutely doesn't need to be there; use your database to store information if you need to and if at all feasible. The problem you mention is real, but in real world scenarios it can typically be avoided. About the only thing you can't avoid is if the user wants to log in simultaneously as two different users. Most normal users don't want to do that, though :) Chip -- Chip Turner [EMAIL PROTECTED] RHN Web Engineer
Re: Appending Sessionid to all the urls
On 25 May 2001, Chip Turner wrote: The problem you mention is real, but in real world scenarios it can typically be avoided. About the only thing you can't avoid is if the user wants to log in simultaneously as two different users. Most normal users don't want to do that, though :) only if you have a one to one relationship between client (browser) session and authenticated user. this is not mandatory if, as you point out, urls or form fields are used to transmit the user's id. other than this scenario, which i've never chosen to support, i've never met a piece of session-scoped data that needed to be propagated back to the client besides the client's session id.
Re: Appending Sessionid to all the urls
On Thu, May 24, 2001 at 08:20:01AM +1200, Stuart Frew wrote: Greetings, One problem with using cookies for session management is that the user can have two browsers open doing the same process. Which means the first cookie Session ID will be over writen by the second one. Which can lead to horrid results if the user continues the first process but has the session ID from the second process. May not be an issue out in the Internet but is a true pain in an intranet environment. Can't you write your code to cope with this situation? Julian -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London Debian GNU/Linux Developer, see http://people.debian.org/~jdg Donate free food to the world's hungry: see http://www.thehungersite.com/
Re: Appending Sessionid to all the urls
Stuart Frew ([EMAIL PROTECTED]) said something to this effect on 05/23/2001: Greetings, One problem with using cookies for session management is that the user can have two browsers open doing the same process. Which means the first cookie Session ID will be over writen by the second one. Which can lead to horrid results if the user continues the first process but has the session ID from the second process. May not be an issue out in the Internet but is a true pain in an intranet environment. This is an even more pronounced problem with sessions IDs in URLs, though. With cookie based session tracking, the second browser window will send the same cookie that the first browser window received. At least that's how sane browsers operate. (darren) -- It is impossible to experience one's death objectively and still carry a tune. -- Woody Allen
Re: Appending Sessionid to all the urls
From: [EMAIL PROTECTED] A better way for session ids is to put them in front of the URI: http://www.nus.edu.sg/dfd3453/some/path/and/file.html (...) These session ids are sticky as long as you only use relative paths in your html. Note: You may want to put your images in a directory that's not covered by this handler and use absolute paths... But wouldn't the session ID get sent to other (possible malicious) servers as well - in the HTTP_REFERER, if the user clicks on an external link? That might enable a script on that other server to grab your user's session. I guess you could add an additional check including the original user's IP address, but that's not really safe either. People working in the same company could spy on each other if they use the same HTTP proxy. Any known workarounds for this? cheers, stefan
Re: Appending Sessionid to all the urls
Yeah, create a safe link jumping point. Something that you'd link to instead of the external link, and pass in the external link, without a session_id so that the HTTP_REFERER won't have the session ID. Don't rely on IP address for more reasons then you mentioned... It might not hurt to implement some kind of time out feature too. It's you and a dagger against an army. Jay On Thu, 24 May 2001, stefan weiss wrote: From: [EMAIL PROTECTED] A better way for session ids is to put them in front of the URI: http://www.nus.edu.sg/dfd3453/some/path/and/file.html (...) These session ids are sticky as long as you only use relative paths in your html. Note: You may want to put your images in a directory that's not covered by this handler and use absolute paths... But wouldn't the session ID get sent to other (possible malicious) servers as well - in the HTTP_REFERER, if the user clicks on an external link? That might enable a script on that other server to grab your user's session. I guess you could add an additional check including the original user's IP address, but that's not really safe either. People working in the same company could spy on each other if they use the same HTTP proxy. Any known workarounds for this? cheers, stefan
Re: Appending Sessionid to all the urls
This is an even more pronounced problem with sessions IDs in URLs, though. With cookie based session tracking, the second browser window will send the same cookie that the first browser window received. And there lies the rub. The user is using the system to process client A. The cookie contains stateful information including the client ID. They then open an new browser window, and lookup client B, recieving a new session ID with new state information, including the client ID. The user then submits the form to the server. The server then recives the one and only cookie with a session ID in it. But is it for Client A or Client B? 50-50 chance of updating the right row. Not good. With the session ID in the URL, once the new session ID is issued you know which browser window, and hence data, the session is for and hence update the correct row. Of course if anyone knows how to make it work with cookied I'd love to know. Cheers Stuart (Oh and telling the users 'Don't Do That' does not work either :^) -- Cheers Stuart --- New Zealand Revolution [EMAIL PROTECTED] +64 9 918 7663
Re: Appending Sessionid to all the urls
At 08:39 25.05.2001 +1200, you wrote: And there lies the rub. The user is using the system to process client A. The cookie contains stateful information including the client ID. They then open an new browser window, and lookup client B, recieving a new session ID with new state information, including the client ID. Why are you doing this. client B probably sends a valid session ID, so why does he get a new one? (Oh and telling the users 'Don't Do That' does not work either :^) Never does. Joachim -- ... ein Geschlecht erfinderischer Zwerge, die fuer alles gemietet werden koennen.- Bertolt Brecht - Leben des Galilei
Re: Appending Sessionid to all the urls
i'd still use a cookie to indentify the user. why not include the client id as part of the submission from the browser. it is easy to keep detailed data in the cookie separate for each client $sessionData{$clientKey}{$clientDataStuff}=$in{DATAKEY} Stuart Frew wrote: This is an even more pronounced problem with sessions IDs in URLs, though. With cookie based session tracking, the second browser window will send the same cookie that the first browser window received. And there lies the rub. The user is using the system to process client A. The cookie contains stateful information including the client ID. They then open an new browser window, and lookup client B, recieving a new session ID with new state information, including the client ID. The user then submits the form to the server. -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/
Re: Appending Sessionid to all the urls
Opps forgot to CC the list -- Cheers Stuart --- New Zealand Revolution [EMAIL PROTECTED] +64 9 918 7663 On 24 May 2001 14:57:09 -0700, ___cliff rayman___ wrote: Stuart Frew wrote: On 24 May 2001 14:21:32 -0700, ___cliff rayman___ wrote: i'd still use a cookie to indentify the user. why not include the client id as part of the submission from the browser. it is easy to keep detailed data in the cookie separate for each client $sessionData{$clientKey}{$clientDataStuff}=$in{DATAKEY} snip. Yup you could encode the client ID in to each form but, * If I was to do that I would encode the session ID, and kill to birds with one piece of code. encoding the session id is much more difficult as u have now found out. which two birds do you kill? Ah ah I think I see a difference. I am not using the session ID to track the user, but the track which client/customer the user is processing and what they are doing. We Identify the user by $r-connection-user. I would use encode the session ID into the form to differentate the two clients the single user is processing. For us two windows means two sessions. Yup, could encode it all into one session but see below... * the joys of sessions is that that the state, via the session ID, is avaiable automagicly without having to code it into each page. hmmm. i think u r misunderstanding my suggestion - or - u r not fully explaining what u r trying to do. look up the input type=hidden html tag. stick that with the client id somewhere between your form tags. everytime the user submits the form, the client id will be submitted also. assuming that %in comtains all the forms posted fields then: $session{$in{CLIENTID}}{DATAFIELD1}=$in{DATAFIELD1} or more generically (untested - could have typos): $session{$in{CLIENTID}}{$_}=$in{$_} for (grep {!/CLIENTID/, keys %in}; But what happens when we go to a page that contains only look up information. Say we are on a page that has the main data entry form, but there are links to lookup pages, such as the client/customers previous purchases. I don't want to encode the client ID on every link when I can use the state information with in the lookup page to find out what the client/customer is. Also Apache::Session only sees changes at the top level. So for ever state change we would have to programaticly make the session aware of the change. Ok not particulary hard or arduous but why take the risk? Cheers Stuart --- New Zealand Revolution [EMAIL PROTECTED] +64 9 918 7663
Antwort: Re: Appending Sessionid to all the urls
Hi kheeteck, as said before - a session id at the end of the URL (as path info, GET parameter or POST parameter) will not stay there if you don't modify all displayed html pages. As I understand, you can't modify these pages because thay are on another server. That means you also can't use a leading session id. Bad. There is only one way left to store information on the browser's side: Cookies. cu Michael Datum: 22.05.2001 19:10 An:Michael Jacob/EXT/GAD@GAD Kopie: [EMAIL PROTECTED] Betreff: Re: Appending Sessionid to all the urls Nachrichtentext: Hi Michael : I am really glad that you reply to my mail.. as i have been trying to solve this problem for quite some time Hmm , however i think u slightly misunderstand what i mean.. What i mean is... For eg, I have a html page which contains a form page let say allowing the user to enter certain values... like colorNo etc. This values would be posted to my server and the data would be stored in a database(mysql) together with a unqiue session id which would be generated. ( for this part i have finished and is working). Now comes the problematic part, after the values are submitted. I want this value to be avaiable to me each time as user enter a new url from the browser( take note this url is not the content residing in my server.. it is any remote site url). The only way is to append a session id at the url. So for instance.. after the user finished entering the form page. He can now access any urls(remote site). How do i tell the server that this is the user who has entered the form earlier based on the session id generated. And for all the subsquent links... how can i append the session id. I would greatly appreciated if you could help me out.. Really thanks to you Regards kheeteck - Original Message - From: [EMAIL PROTECTED] To: ktgoh [EMAIL PROTECTED] Cc: mod_perl [EMAIL PROTECTED] Sent: Wednesday, May 23, 2001 12:27 AM Subject: Re: Appending Sessionid to all the urls Hi ktgoh, you don't tell the browser about the session id. Why? To use a session id that's appended to the URL is hard work - it has to be maintaned in every module and html file. So you must append the session id to every URL in every page and every piece of code that produces html. Ther is no way to automatically keep the id sticky. A better way for session ids is to put them in front of the URI: http://www.nus.edu.sg/dfd3453/some/path/and/file.html This is (part of) my uri-translation-handler: sub handler ($r: Apache) { # only do initial request - not an internal sub req return DECLINED unless $r-is_initial_req; return DECLINED unless $r-uri =~ m/$DIR_MATCH/o; try my $check_uri = check_uri($r); return DECLINED if $check_uri; # URI contains session id and session object could be read from the DB # else redirect to mangled URI try my $session_id = make_session_id($r); redirect($r, $session_id); return REDIRECT; # end of main handler } sub check_uri ($r: Apache) { my $uri = $r-uri || undef; my (undef, $sessionid, $rest) = split '/', $uri, 3; if ($sessionid $sessionid =~ m/^[0-9a-h]{32,32}$/o) { $r-uri(/$rest); try void lock_session_id($r, $sessionid); return 1; } return undef; } sub redirect ($r: Apache, $session_id: string min 32 max 32) { my $args = $r-args ? '?' . $r-args : ''; my $uri = $r-parsed_uri; $redirect = $uri-scheme . '://' . $uri-$hostinfo . '/'. $session_id . '/' . $uri-path . $args; $r-header_out(Location = $redirect); } These session ids are sticky as long as you only use relative paths in your html. Note: You may want to put your images in a directory that's not covered by this handler and use absolute paths... Datum: 22.05.2001 12:03 An:mod_perl [EMAIL PROTECTED] Betreff: Appending Sessionid to all the urls Nachrichtentext: Hi all : I wanted to write a mod URL rewrite program. I wanted to append session ID to the tail of all the urls of a website. For instance when i access url http://www.nus.edu.sg?sessionid=dfd3453 i want all the urls to be appended in all the urls of that website.. My qns is everytime i found that the session id is lost... through the many requests and responses. And the new url does not reflect on the client browser.. Any one got any idea.. what wrong with my program?? Thanks for your help... sub handler { my $r = shift; my $url = $r-uri; my $sessID; if($url =~ m/sessionid/){ $sessID= getSessionID($url); } my $append =?sessionid=$sessID my $newURL = $r-uri($url$append); return DECLINED; } sub getSessionID{ my $url = $_[0]; my $position = rindex($url,=)+1; my $sessID = substr($url,$position,8); return $sessID; } Regards kheeteck
Re: Appending Sessionid to all the urls
Hi Michael : I am really glad that you reply to my mail.. as i have been trying to solve this problem for quite some time Hmm , however i think u slightly misunderstand what i mean.. What i mean is... For eg, I have a html page which contains a form page let say allowing the user to enter certain values... like colorNo etc. This values would be posted to my server and the data would be stored in a database(mysql) together with a unqiue session id which would be generated. ( for this part i have finished and is working). Now comes the problematic part, after the values are submitted. I want this value to be avaiable to me each time as user enter a new url from the browser( take note this url is not the content residing in my server.. it is any remote site url). The only way is to append a session id at the url. So for instance.. after the user finished entering the form page. He can now access any urls(remote site). How do i tell the server that this is the user who has entered the form earlier based on the session id generated. And for all the subsquent links... how can i append the session id. I would greatly appreciated if you could help me out.. Really thanks to you Regards kheeteck - Original Message - From: [EMAIL PROTECTED] To: ktgoh [EMAIL PROTECTED] Cc: mod_perl [EMAIL PROTECTED] Sent: Wednesday, May 23, 2001 12:27 AM Subject: Re: Appending Sessionid to all the urls Hi ktgoh, you don't tell the browser about the session id. Why? To use a session id that's appended to the URL is hard work - it has to be maintaned in every module and html file. So you must append the session id to every URL in every page and every piece of code that produces html. Ther is no way to automatically keep the id sticky. A better way for session ids is to put them in front of the URI: http://www.nus.edu.sg/dfd3453/some/path/and/file.html This is (part of) my uri-translation-handler: sub handler ($r: Apache) { # only do initial request - not an internal sub req return DECLINED unless $r-is_initial_req; return DECLINED unless $r-uri =~ m/$DIR_MATCH/o; try my $check_uri = check_uri($r); return DECLINED if $check_uri; # URI contains session id and session object could be read from the DB # else redirect to mangled URI try my $session_id = make_session_id($r); redirect($r, $session_id); return REDIRECT; # end of main handler } sub check_uri ($r: Apache) { my $uri = $r-uri || undef; my (undef, $sessionid, $rest) = split '/', $uri, 3; if ($sessionid $sessionid =~ m/^[0-9a-h]{32,32}$/o) { $r-uri(/$rest); try void lock_session_id($r, $sessionid); return 1; } return undef; } sub redirect ($r: Apache, $session_id: string min 32 max 32) { my $args = $r-args ? '?' . $r-args : ''; my $uri = $r-parsed_uri; $redirect = $uri-scheme . '://' . $uri-$hostinfo . '/'. $session_id . '/' . $uri-path . $args; $r-header_out(Location = $redirect); } These session ids are sticky as long as you only use relative paths in your html. Note: You may want to put your images in a directory that's not covered by this handler and use absolute paths... Datum: 22.05.2001 12:03 An:mod_perl [EMAIL PROTECTED] Betreff: Appending Sessionid to all the urls Nachrichtentext: Hi all : I wanted to write a mod URL rewrite program. I wanted to append session ID to the tail of all the urls of a website. For instance when i access url http://www.nus.edu.sg?sessionid=dfd3453 i want all the urls to be appended in all the urls of that website.. My qns is everytime i found that the session id is lost... through the many requests and responses. And the new url does not reflect on the client browser.. Any one got any idea.. what wrong with my program?? Thanks for your help... sub handler { my $r = shift; my $url = $r-uri; my $sessID; if($url =~ m/sessionid/){ $sessID= getSessionID($url); } my $append =?sessionid=$sessID my $newURL = $r-uri($url$append); return DECLINED; } sub getSessionID{ my $url = $_[0]; my $position = rindex($url,=)+1; my $sessID = substr($url,$position,8); return $sessID; } Regards kheeteck
Re: Appending Sessionid to all the urls
On Wed, May 23, 2001 at 12:59:39AM +0800, kheeteck wrote: Hi Michael : I am really glad that you reply to my mail.. as i have been trying to solve this problem for quite some time Hmm , however i think u slightly misunderstand what i mean.. What i mean is... For eg, I have a html page which contains a form page let say allowing the user to enter certain values... like colorNo etc. This values would be posted to my server and the data would be stored in a database(mysql) together with a unqiue session id which would be generated. ( for this part i have finished and is working). Now comes the problematic part, after the values are submitted. I want this value to be avaiable to me each time as user enter a new url from the browser( take note this url is not the content residing in my server.. it is any remote site url). The only way is to append a session id at the url. So for instance.. after the user finished entering the form page. He can now access any urls(remote site). How do i tell the server that this is the user who has entered the form earlier based on the session id generated. And for all the subsquent links... how can i append the session id. I would greatly appreciated if you could help me out.. Really thanks to you Have you considered using cookies? They're designed for just this purpose, and are much simpler to use in general. Julian -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London Debian GNU/Linux Developer, see http://people.debian.org/~jdg Donate free food to the world's hungry: see http://www.thehungersite.com/
Re: Appending Sessionid to all the urls
Greetings, One problem with using cookies for session management is that the user can have two browsers open doing the same process. Which means the first cookie Session ID will be over writen by the second one. Which can lead to horrid results if the user continues the first process but has the session ID from the second process. May not be an issue out in the Internet but is a true pain in an intranet environment. Cheers Stuart. On 23 May 2001 11:53:32 +0100, Julian Gilbey wrote: On Wed, May 23, 2001 at 12:59:39AM +0800, kheeteck wrote: Hi Michael : I am really glad that you reply to my mail.. as i have been trying to solve this problem for quite some time Hmm , however i think u slightly misunderstand what i mean.. What i mean is... For eg, I have a html page which contains a form page let say allowing the user to enter certain values... like colorNo etc. This values would be posted to my server and the data would be stored in a database(mysql) together with a unqiue session id which would be generated. ( for this part i have finished and is working). Now comes the problematic part, after the values are submitted. I want this value to be avaiable to me each time as user enter a new url from the browser( take note this url is not the content residing in my server.. it is any remote site url). The only way is to append a session id at the url. So for instance.. after the user finished entering the form page. He can now access any urls(remote site). How do i tell the server that this is the user who has entered the form earlier based on the session id generated. And for all the subsquent links... how can i append the session id. I would greatly appreciated if you could help me out.. Really thanks to you Have you considered using cookies? They're designed for just this purpose, and are much simpler to use in general. Julian -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London Debian GNU/Linux Developer, see http://people.debian.org/~jdg Donate free food to the world's hungry: see http://www.thehungersite.com/ -- Cheers Stuart --- New Zealand Revolution [EMAIL PROTECTED] +64 9 918 7663
Appending Sessionid to all the urls
Hi all : I wanted to write a mod URL rewrite program. I wanted to append session ID to the tail of all the urls of a website. For instance when i access url http://www.nus.edu.sg?sessionid=dfd3453 i want all the urls to be appended in all the urls of that website.. My qns is everytime i found that the session id is lost... throughthe many requests and responses. And the new url does not reflect on theclient browser.. Any one got any idea.. what wrong with my program?? Thanks for your help... sub handler { my $r = shift; my $url = $r-uri; my $sessID; if($url =~ m/sessionid/){ $sessID= getSessionID($url); } my $append =?sessionid=$sessID my $newURL = $r-uri($url$append); return DECLINED; } sub getSessionID{ my $url = $_[0]; my $position = rindex($url,"=")+1; my $sessID = substr($url,$position,8); return $sessID;} Regards kheeteck
Re: Appending Sessionid to all the urls
Hi ktgoh, you don't tell the browser about the session id. Why? To use a session id that's appended to the URL is hard work - it has to be maintaned in every module and html file. So you must append the session id to every URL in every page and every piece of code that produces html. Ther is no way to automatically keep the id sticky. A better way for session ids is to put them in front of the URI: http://www.nus.edu.sg/dfd3453/some/path/and/file.html This is (part of) my uri-translation-handler: sub handler ($r: Apache) { # only do initial request - not an internal sub req return DECLINED unless $r-is_initial_req; return DECLINED unless $r-uri =~ m/$DIR_MATCH/o; try my $check_uri = check_uri($r); return DECLINED if $check_uri; # URI contains session id and session object could be read from the DB # else redirect to mangled URI try my $session_id = make_session_id($r); redirect($r, $session_id); return REDIRECT; # end of main handler } sub check_uri ($r: Apache) { my $uri = $r-uri || undef; my (undef, $sessionid, $rest) = split '/', $uri, 3; if ($sessionid $sessionid =~ m/^[0-9a-h]{32,32}$/o) { $r-uri(/$rest); try void lock_session_id($r, $sessionid); return 1; } return undef; } sub redirect ($r: Apache, $session_id: string min 32 max 32) { my $args = $r-args ? '?' . $r-args : ''; my $uri = $r-parsed_uri; $redirect = $uri-scheme . '://' . $uri-$hostinfo . '/'. $session_id . '/' . $uri-path . $args; $r-header_out(Location = $redirect); } These session ids are sticky as long as you only use relative paths in your html. Note: You may want to put your images in a directory that's not covered by this handler and use absolute paths... Datum: 22.05.2001 12:03 An:mod_perl [EMAIL PROTECTED] Betreff: Appending Sessionid to all the urls Nachrichtentext: Hi all : I wanted to write a mod URL rewrite program. I wanted to append session ID to the tail of all the urls of a website. For instance when i access url http://www.nus.edu.sg?sessionid=dfd3453 i want all the urls to be appended in all the urls of that website.. My qns is everytime i found that the session id is lost... through the many requests and responses. And the new url does not reflect on the client browser.. Any one got any idea.. what wrong with my program?? Thanks for your help... sub handler { my $r = shift; my $url = $r-uri; my $sessID; if($url =~ m/sessionid/){ $sessID= getSessionID($url); } my $append =?sessionid=$sessID my $newURL = $r-uri($url$append); return DECLINED; } sub getSessionID{ my $url = $_[0]; my $position = rindex($url,=)+1; my $sessID = substr($url,$position,8); return $sessID; } Regards kheeteck
Re: Appending Sessionid to all the urls
At 18:06 22.05.2001 +0800, you wrote: For instance when i access url http://www.nus.edu.sg?sessionid=dfd3453http://www.nus.edu.sg?sessionid=dfd3453 i want all the urls to be appended in all the urls of that website.. My qns is everytime i found that the session id is lost... through the many requests and responses. And the new url does not reflect on the client browser.. Any one got any idea.. what wrong with my program?? Wrong concept. Use a sid in the URL path like http://www.nus.edu.sg/sessionid-dfd3453/this/is/it.pl Use mod_rewrite to remove /sessionid-\w+ Use only relative links. Thats it. You can get the sessionid by parsing $ENV{REQUEST_URI} Hth, Joachim -- ... ein Geschlecht erfinderischer Zwerge, die fuer alles gemietet werden koennen.- Bertolt Brecht - Leben des Galilei
Re: Appending Sessionid to all the urls
there's always more then one way... DocumentRoot /usr/local/apache_mp/htdocs RewriteEngine On RewriteCond /usr/local/apache_mp/htdocs/%{REQUEST_FILENAME} !-f RewriteRule /?S=([^/]+)/(.*) /$2 [E=SESSION_ID:$1] This sets $ENV{SESSION_ID} to the session ID, but also catches it, if by some bizarre and unlikely circumstance your have a directory that matches someone's Session ID. In this case the session is: http://host.domain.com/S=asdfasdf/path/requested.pl Using mod rewrite also munges the $r-filename which helped things like mason that looked for it (don't know if it still does). Jay On Tue, 22 May 2001, Joachim Zobel wrote: At 18:06 22.05.2001 +0800, you wrote: For instance when i access url http://www.nus.edu.sg?sessionid=dfd3453http://www.nus.edu.sg?sessionid=dfd3453 i want all the urls to be appended in all the urls of that website.. My qns is everytime i found that the session id is lost... through the many requests and responses. And the new url does not reflect on the client browser.. Any one got any idea.. what wrong with my program?? Wrong concept. Use a sid in the URL path like http://www.nus.edu.sg/sessionid-dfd3453/this/is/it.pl Use mod_rewrite to remove /sessionid-\w+ Use only relative links. Thats it. You can get the sessionid by parsing $ENV{REQUEST_URI} Hth, Joachim -- ... ein Geschlecht erfinderischer Zwerge, die fuer alles gemietet werden koennen.- Bertolt Brecht - Leben des Galilei