Re: Antwort: Re: Appending Sessionid to all the urls

2001-05-27 Thread Stefan Weiss 

From: <[EMAIL PROTECTED]>

> any Proxy operator can do this with any non-SSL connection. One can spy session
> ids in the URL, in the GET-parameters and the POST-parameters, also cookies and
> basic auth passwords, also passwords in html forms - and every bit of data
> that's send back.
> 
> Oh, and firewall operators and router operators and all people on the same
> physical network can do the same...


You're right, you can never be secure without encryption. But will browsers
reliably strip the HTTP_REFERER if you leave a secure page? If they don't,
you would still have to pass all external links through one of your own
scripts. I see this becoming a problem in a larger, heterogenous 
environment, because someone is certainly going to forget this protective
curtain and just write a plain HTML link. And any attacker would of course
try to provoke this.


cheers,
stefan

Antwort: Re: Appending Sessionid to all the urls

2001-05-25 Thread Michael . Jacob 

Hi stefan,

any Proxy operator can do this with any non-SSL connection. One can spy session
ids in the URL, in the GET-parameters and the POST-parameters, also cookies and
basic auth passwords, also passwords in html forms - and every bit of data
that's send back.

Oh, and firewall operators and router operators and all people on the same
physical network can do the same...

That's the reason why someony implemented SSL :-)


Datum: 24.05.2001 18:02
An:"mod_perl" <[EMAIL PROTECTED]>


Betreff:   Re: Appending Sessionid to all the urls
Nachrichtentext:


From: <[EMAIL PROTECTED]>

> A better way for session ids is to put them in front of the URI:
> http://www.nus.edu.sg/dfd3453/some/path/and/file.html
(...)
> These session ids are sticky as long as you only use relative paths in your
> html. Note: You may want to put your images in a directory that's not covered
by
> this handler and use absolute paths...


But wouldn't the session ID get sent to other (possible malicious) servers
as well - in the HTTP_REFERER, if the user clicks on an external link?
That might enable a script on that other server to grab your user's session.
I guess you could add an additional check including the original user's IP
address, but that's not really safe either. People working in the same
company could spy on each other if they use the same HTTP proxy.

Any known workarounds for this?


cheers,
stefan

Re: Appending Sessionid to all the urls

2001-05-25 Thread brian moseley 

On 25 May 2001, Chip Turner wrote:

> The problem you mention is real, but in "real world
> scenarios" it can typically be avoided.  About the only
> thing you can't avoid is if the user wants to log in
> simultaneously as two different users.  Most normal
> users don't want to do that, though :)

only if you have a one to one relationship between client
(browser) session and authenticated user. this is not
mandatory if, as you point out, urls or form fields are used
to transmit the user's id.

other than this scenario, which i've never chosen to
support, i've never met a piece of session-scoped data that
needed to be propagated back to the client besides the
client's session id.

Re: Appending Sessionid to all the urls

2001-05-24 Thread Chip Turner 

Stuart Frew <[EMAIL PROTECTED]> writes:

> The user is using the system to process client A. The cookie contains
> stateful information including the client ID.
> 
> They then open an new browser window, and lookup client B, recieving a
> new session ID with new state information, including the client ID.
> 
> The user then submits the form to the server.
> 
> The server then recives the one and only cookie with a session ID in it.
> But is it for Client A or Client B? 50-50 chance of updating the right
> row. Not good.

Session information should be used for the most minimal set of data
possible.  Often times sessions get used where pnotes would be better,
or where hidden form variables would be better.  The situation you
describe is unlikely and avoidable if you set out with the idea in
mind to not put anything in a session that absolutely doesn't need to
be there; use your database to store information if you need to and if
at all feasible.

The problem you mention is real, but in "real world scenarios" it can
typically be avoided.  About the only thing you can't avoid is if the
user wants to log in simultaneously as two different users.  Most
normal users don't want to do that, though :)

Chip

-- 
Chip Turner   [EMAIL PROTECTED]
  RHN Web Engineer

Re: Appending Sessionid to all the urls

2001-05-24 Thread Stuart Frew 

Opps forgot to CC the list

-- 

Cheers Stuart
---
New Zealand Revolution
[EMAIL PROTECTED] 
+64 9 918 7663




On 24 May 2001 14:57:09 -0700, ___cliff rayman___ wrote:
> 
> 
> Stuart Frew wrote:
> 
> > On 24 May 2001 14:21:32 -0700, ___cliff rayman___ wrote:
> > > i'd still use a cookie to indentify the user.  why not include
> > > the client id as part of the submission from the browser.  it
> > > is easy to keep detailed data in the cookie separate for each client
> > > $sessionData{$clientKey}{$clientDataStuff}=$in{DATAKEY}
> > >
> > snip.
> > Yup you could encode the client ID in to each form but,
> > * If I was to do that I would encode the session ID, and kill to birds
> > with one piece of code.
> 
> encoding the session id is much more difficult as u have now found out.
> which two birds do you kill?
> 
> >
Ah ah I think I see a difference. I am not using the session ID to track
the user, but the track which client/customer the user is processing and
what they are doing.
We Identify the user by $r->connection->user.

I would use encode the session ID into the form to differentate the two
clients the single user is processing.

For us two windows means two sessions.
Yup, could encode it all into one session but see below...

> > * the joys of sessions is that that the state, via the session ID, is
> > avaiable automagicly  without having to code it into each page.
> 
> hmmm.  i think u r misunderstanding my suggestion - or - u r not fully explaining
> what u r trying to do.  look up the  html tag.  stick that with 
>the
> client id somewhere between your  tags. everytime the user submits the form,
> the client id will be submitted also.  assuming that %in comtains all the forms 
>posted
> fields then:
> $session{$in{CLIENTID}}{DATAFIELD1}=$in{DATAFIELD1}
> 
> or more generically (untested - could have typos):
> 
> $session{$in{CLIENTID}}{$_}=$in{$_} for (grep {!/CLIENTID/, keys %in};
> 
But what happens when we go to a page that contains only look up
information.

Say we are on a page that has the main data entry form, but there are
links to lookup pages, such as the client/customers previous purchases.
I don't want to encode the client ID on every link when I can use the
state information with in the lookup page to find out what the
client/customer is.

Also Apache::Session only sees changes at the top level. 
So for ever state change we would have to programaticly make the session
aware of the change. 

Ok not particulary hard or arduous but why take the risk? 


Cheers Stuart
---
New Zealand Revolution
[EMAIL PROTECTED] 
+64 9 918 7663

Re: Appending Sessionid to all the urls

2001-05-24 Thread ___cliff rayman___ 

i'd still use a cookie to indentify the user.  why not include
the client id as part of the submission from the browser.  it
is easy to keep detailed data in the cookie separate for each client
$sessionData{$clientKey}{$clientDataStuff}=$in{DATAKEY}

Stuart Frew wrote:

> > This is an even more pronounced problem with sessions IDs in
> > URLs, though. With cookie based session tracking, the second
> > browser window will send the same cookie that the first browser
> > window received.
> >
>
> And there lies the rub.
>
> The user is using the system to process client A. The cookie contains
> stateful information including the client ID.
>
> They then open an new browser window, and lookup client B, recieving a
> new session ID with new state information, including the client ID.
>
> The user then submits the form to the server.
>

--
___cliff [EMAIL PROTECTED]http://www.genwax.com/

Re: Appending Sessionid to all the urls

2001-05-24 Thread Joachim Zobel 

At 08:39 25.05.2001 +1200, you wrote:

>And there lies the rub.
>
>The user is using the system to process client A. The cookie contains
>stateful information including the client ID.
>
>They then open an new browser window, and lookup client B, recieving a
>new session ID with new state information, including the client ID.

Why are you doing this. client B probably sends a valid session ID, so why 
does he get a new one?


>(Oh and telling the users 'Don't Do That' does not work either :^)


Never does.

Joachim

--
"... ein Geschlecht erfinderischer Zwerge, die fuer alles gemietet werden
koennen."- Bertolt Brecht - Leben des Galilei

Re: Appending Sessionid to all the urls

2001-05-24 Thread Stuart Frew 


> This is an even more pronounced problem with sessions IDs in
> URLs, though. With cookie based session tracking, the second
> browser window will send the same cookie that the first browser
> window received.
> 


And there lies the rub.

The user is using the system to process client A. The cookie contains
stateful information including the client ID.

They then open an new browser window, and lookup client B, recieving a
new session ID with new state information, including the client ID.

The user then submits the form to the server.

The server then recives the one and only cookie with a session ID in it.
But is it for Client A or Client B? 50-50 chance of updating the right
row. Not good.

With the session ID in the URL, once the new session ID is issued you
know which  browser window, and hence data, the session is for and hence
update the correct row.

Of course if anyone knows how to make it work with cookied I'd love to
know.

Cheers Stuart
(Oh and telling the users 'Don't Do That' does not work either :^)
-- 

Cheers Stuart
---
New Zealand Revolution
[EMAIL PROTECTED] 
+64 9 918 7663

Re: Appending Sessionid to all the urls

2001-05-24 Thread Jay Jacobs 

Yeah, create a safe link jumping point.  Something that you'd link to
instead of the external link, and pass in the external link, without a
session_id so that the HTTP_REFERER won't have the session ID.

Don't rely on IP address for more reasons then you mentioned...

It might not hurt to implement some kind of "time out" feature too.  It's
you and a dagger against an army.

Jay

On Thu, 24 May 2001, stefan weiss wrote:

> From: <[EMAIL PROTECTED]>
>
> > A better way for session ids is to put them in front of the URI:
> > http://www.nus.edu.sg/dfd3453/some/path/and/file.html
> (...)
> > These session ids are sticky as long as you only use relative paths in your
> > html. Note: You may want to put your images in a directory that's not covered by
> > this handler and use absolute paths...
>
>
> But wouldn't the session ID get sent to other (possible malicious) servers
> as well - in the HTTP_REFERER, if the user clicks on an external link?
> That might enable a script on that other server to grab your user's session.
> I guess you could add an additional check including the original user's IP
> address, but that's not really safe either. People working in the same
> company could spy on each other if they use the same HTTP proxy.
>
> Any known workarounds for this?
>
>
> cheers,
> stefan
>
>
>

Re: Appending Sessionid to all the urls

2001-05-24 Thread stefan weiss 

From: <[EMAIL PROTECTED]>

> A better way for session ids is to put them in front of the URI:
> http://www.nus.edu.sg/dfd3453/some/path/and/file.html
(...)
> These session ids are sticky as long as you only use relative paths in your
> html. Note: You may want to put your images in a directory that's not covered by
> this handler and use absolute paths...


But wouldn't the session ID get sent to other (possible malicious) servers
as well - in the HTTP_REFERER, if the user clicks on an external link?
That might enable a script on that other server to grab your user's session.
I guess you could add an additional check including the original user's IP
address, but that's not really safe either. People working in the same
company could spy on each other if they use the same HTTP proxy.

Any known workarounds for this?


cheers,
stefan

Re: Appending Sessionid to all the urls

2001-05-24 Thread darren chamberlain 

Stuart Frew ([EMAIL PROTECTED]) said something to this effect on 05/23/2001:
> Greetings,
> 
> One problem with using cookies for session management is that the user
> can have two browsers open doing the same process.
> 
> Which means the first cookie Session ID will be over writen by the
> second one. Which can lead to horrid results if the user continues the
> first process but has the session ID from the second process.
> 
> May not be an issue out in the Internet but is a true pain in an
> intranet environment.

This is an even more pronounced problem with sessions IDs in
URLs, though. With cookie based session tracking, the second
browser window will send the same cookie that the first browser
window received.

At least that's how sane browsers operate.

(darren)

-- 
It is impossible to experience one's death objectively and still
carry a tune.
-- Woody Allen

Re: Appending Sessionid to all the urls

2001-05-24 Thread Julian Gilbey 

On Thu, May 24, 2001 at 08:20:01AM +1200, Stuart Frew wrote:
> Greetings,
> 
> One problem with using cookies for session management is that the user
> can have two browsers open doing the same process.
> 
> Which means the first cookie Session ID will be over writen by the
> second one. Which can lead to horrid results if the user continues the
> first process but has the session ID from the second process.
> 
> May not be an issue out in the Internet but is a true pain in an
> intranet environment.

Can't you write your code to cope with this situation?

   Julian

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London
   Debian GNU/Linux Developer,  see http://people.debian.org/~jdg
  Donate free food to the world's hungry: see http://www.thehungersite.com/

Re: Appending Sessionid to all the urls

2001-05-23 Thread Stuart Frew 

Greetings,

One problem with using cookies for session management is that the user
can have two browsers open doing the same process.

Which means the first cookie Session ID will be over writen by the
second one. Which can lead to horrid results if the user continues the
first process but has the session ID from the second process.

May not be an issue out in the Internet but is a true pain in an
intranet environment.

Cheers Stuart.

On 23 May 2001 11:53:32 +0100, Julian Gilbey wrote:
> On Wed, May 23, 2001 at 12:59:39AM +0800, kheeteck wrote:
> > Hi Michael :
> > 
> > I am really glad that you reply to my mail.. as i have been trying to solve
> > this problem for quite some time
> > Hmm , however i think u slightly misunderstand what i mean..
> > 
> > What i mean is...
> > For eg,
> > 
> > I have a html page which contains a form page let say allowing the user to
> > enter certain values... like colorNo etc.
> > This values would be posted to my server and the data would be stored in a
> > database(mysql) together with a unqiue
> > session id which would be generated. ( for this part i have finished and is
> > working).
> > 
> > Now comes the problematic part, after the values are submitted. I  want this
> > value to be avaiable to me each time
> > as user enter a new url from the browser( take note this url is not the
> > content residing in my server.. it is any remote site url).
> > The only way is to append a session id at the url.
> > 
> > So for instance.. after the user finished entering the form page. He can now
> > access any urls(remote site). How do i tell the server that this is the user
> > who has entered the form earlier based on the session id generated. And for
> > all the subsquent links... how can i append the session id.
> > 
> > I would greatly appreciated if you could help me out..
> > Really thanks to you
> 
> Have you considered using cookies?  They're designed for just this
> purpose, and are much simpler to use in general.
> 
>Julian
> 
> -- 
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> 
>  Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London
>Debian GNU/Linux Developer,  see http://people.debian.org/~jdg
>   Donate free food to the world's hungry: see http://www.thehungersite.com/
> 

-- 

Cheers Stuart
---
New Zealand Revolution
[EMAIL PROTECTED] 
+64 9 918 7663

Re: Appending Sessionid to all the urls

2001-05-23 Thread Julian Gilbey 

On Wed, May 23, 2001 at 12:59:39AM +0800, kheeteck wrote:
> Hi Michael :
> 
> I am really glad that you reply to my mail.. as i have been trying to solve
> this problem for quite some time
> Hmm , however i think u slightly misunderstand what i mean..
> 
> What i mean is...
> For eg,
> 
> I have a html page which contains a form page let say allowing the user to
> enter certain values... like colorNo etc.
> This values would be posted to my server and the data would be stored in a
> database(mysql) together with a unqiue
> session id which would be generated. ( for this part i have finished and is
> working).
> 
> Now comes the problematic part, after the values are submitted. I  want this
> value to be avaiable to me each time
> as user enter a new url from the browser( take note this url is not the
> content residing in my server.. it is any remote site url).
> The only way is to append a session id at the url.
> 
> So for instance.. after the user finished entering the form page. He can now
> access any urls(remote site). How do i tell the server that this is the user
> who has entered the form earlier based on the session id generated. And for
> all the subsquent links... how can i append the session id.
> 
> I would greatly appreciated if you could help me out..
> Really thanks to you

Have you considered using cookies?  They're designed for just this
purpose, and are much simpler to use in general.

   Julian

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London
   Debian GNU/Linux Developer,  see http://people.debian.org/~jdg
  Donate free food to the world's hungry: see http://www.thehungersite.com/

Re: Appending Sessionid to all the urls

2001-05-23 Thread kheeteck 

Hi Michael :

I am really glad that you reply to my mail.. as i have been trying to solve
this problem for quite some time
Hmm , however i think u slightly misunderstand what i mean..

What i mean is...
For eg,

I have a html page which contains a form page let say allowing the user to
enter certain values... like colorNo etc.
This values would be posted to my server and the data would be stored in a
database(mysql) together with a unqiue
session id which would be generated. ( for this part i have finished and is
working).

Now comes the problematic part, after the values are submitted. I  want this
value to be avaiable to me each time
as user enter a new url from the browser( take note this url is not the
content residing in my server.. it is any remote site url).
The only way is to append a session id at the url.

So for instance.. after the user finished entering the form page. He can now
access any urls(remote site). How do i tell the server that this is the user
who has entered the form earlier based on the session id generated. And for
all the subsquent links... how can i append the session id.

I would greatly appreciated if you could help me out..
Really thanks to you

Regards
kheeteck






- Original Message -
From: <[EMAIL PROTECTED]>
To: "ktgoh" <[EMAIL PROTECTED]>
Cc: "mod_perl" <[EMAIL PROTECTED]>
Sent: Wednesday, May 23, 2001 12:27 AM
Subject: Re: Appending Sessionid to all the urls


> Hi ktgoh,
>
> you don't tell the browser about the session id. Why?
>
> To use a session id that's appended to the URL is hard work - it has to be
> maintaned in every module and html file. So you must append the session id
to
> every URL in every page and every piece of code that produces html. Ther
is no
> way to automatically "keep" the id sticky.
>
> A better way for session ids is to put them in front of the URI:
> http://www.nus.edu.sg/dfd3453/some/path/and/file.html
>
> This is (part of) my uri-translation-handler:
>
> sub handler ($r: Apache) {
>   # only do initial request - not an internal sub req
>   return DECLINED unless $r->is_initial_req;
>   return DECLINED unless $r->uri =~ m/$DIR_MATCH/o;
>
>   try my $check_uri = &check_uri($r);
>   return DECLINED if $check_uri; # URI contains session id and session
object
> could be read from the DB
>
>   # else redirect to mangled URI
>   try my $session_id = &make_session_id($r);
>   &redirect($r, $session_id);
>   return REDIRECT;
>   # end of main handler
> }
>
> sub check_uri ($r: Apache) {
>   my $uri = $r->uri || undef;
>   my (undef, $sessionid, $rest) = split '/', $uri, 3;
>   if ($sessionid && $sessionid =~ m/^[0-9a-h]{32,32}$/o) {
> $r->uri("/$rest");
> try void &lock_session_id($r, $sessionid);
> return 1;
>   }
>   return undef;
> }
>
> sub redirect ($r: Apache, $session_id: string min 32 max 32) {
>   my $args = $r->args ? '?' . $r->args : '';
>   my $uri = $r->parsed_uri;
>   $redirect = $uri->scheme . '://' . $uri->$hostinfo . '/'. $session_id .
'/' .
> $uri->path . $args;
>   $r->header_out(Location => $redirect);
> }
>
> These session ids are sticky as long as you only use relative paths in
your
> html. Note: You may want to put your images in a directory that's not
covered by
> this handler and use absolute paths...
>
>
> Datum: 22.05.2001 12:03
> An:"mod_perl" <[EMAIL PROTECTED]>
>
>
> Betreff:   Appending Sessionid to all the urls
> Nachrichtentext:
>
>
> Hi all :
>
> I wanted to write a mod URL rewrite program.
>
> I wanted to append session ID to the tail of all the urls of a website.
>
> For instance when i access url http://www.nus.edu.sg?sessionid=dfd3453
> i want all the urls to be appended in all the urls of that website..
>
> My qns is everytime i found that the session id is lost... through the
many
> requests and responses.
> And the new url does not reflect on the client browser..
>
> Any one got any idea.. what wrong with my program??
>
> Thanks for your help...
>
> sub handler {
>
>  my $r = shift;
>  my $url = $r->uri;
>  my $sessID;
>
>  if($url =~ m/sessionid/){
>   $sessID= getSessionID($url);
>  }
>
>  my $append =?sessionid=$sessID
>  my $newURL = $r->uri($url$append);
>
>  return DECLINED;
>
> }
>
> sub getSessionID{
>  my  $url = $_[0];
>  my  $position = rindex($url,"=")+1;
>  my  $sessID = substr($url,$position,8);
>  return $sessID;
>  }
>
>
> Regards
> kheeteck
>
>
>
>
>
>
>
>

Antwort: Re: Appending Sessionid to all the urls

2001-05-23 Thread Michael . Jacob 

Hi kheeteck,

as said before - a session id at the end of the URL (as path info, GET parameter
or POST parameter) will not stay there if you don't modify all displayed html
pages. As I understand, you can't modify these pages because thay are on another
server. That means you also can't use a leading session id. Bad. There is only
one way left to store information on the browser's side: Cookies.

cu
Michael


Datum: 22.05.2001 19:10
An:Michael Jacob/EXT/GAD@GAD
Kopie: [EMAIL PROTECTED]

Betreff:   Re: Appending Sessionid to all the urls
Nachrichtentext:


Hi Michael :

I am really glad that you reply to my mail.. as i have been trying to solve
this problem for quite some time
Hmm , however i think u slightly misunderstand what i mean..

What i mean is...
For eg,

I have a html page which contains a form page let say allowing the user to
enter certain values... like colorNo etc.
This values would be posted to my server and the data would be stored in a
database(mysql) together with a unqiue
session id which would be generated. ( for this part i have finished and is
working).

Now comes the problematic part, after the values are submitted. I  want this
value to be avaiable to me each time
as user enter a new url from the browser( take note this url is not the
content residing in my server.. it is any remote site url).
The only way is to append a session id at the url.

So for instance.. after the user finished entering the form page. He can now
access any urls(remote site). How do i tell the server that this is the user
who has entered the form earlier based on the session id generated. And for
all the subsquent links... how can i append the session id.

I would greatly appreciated if you could help me out..
Really thanks to you

Regards
kheeteck






- Original Message -
From: <[EMAIL PROTECTED]>
To: "ktgoh" <[EMAIL PROTECTED]>
Cc: "mod_perl" <[EMAIL PROTECTED]>
Sent: Wednesday, May 23, 2001 12:27 AM
Subject: Re: Appending Sessionid to all the urls


> Hi ktgoh,
>
> you don't tell the browser about the session id. Why?
>
> To use a session id that's appended to the URL is hard work - it has to be
> maintaned in every module and html file. So you must append the session id
to
> every URL in every page and every piece of code that produces html. Ther
is no
> way to automatically "keep" the id sticky.
>
> A better way for session ids is to put them in front of the URI:
> http://www.nus.edu.sg/dfd3453/some/path/and/file.html
>
> This is (part of) my uri-translation-handler:
>
> sub handler ($r: Apache) {
>   # only do initial request - not an internal sub req
>   return DECLINED unless $r->is_initial_req;
>   return DECLINED unless $r->uri =~ m/$DIR_MATCH/o;
>
>   try my $check_uri = &check_uri($r);
>   return DECLINED if $check_uri; # URI contains session id and session
object
> could be read from the DB
>
>   # else redirect to mangled URI
>   try my $session_id = &make_session_id($r);
>   &redirect($r, $session_id);
>   return REDIRECT;
>   # end of main handler
> }
>
> sub check_uri ($r: Apache) {
>   my $uri = $r->uri || undef;
>   my (undef, $sessionid, $rest) = split '/', $uri, 3;
>   if ($sessionid && $sessionid =~ m/^[0-9a-h]{32,32}$/o) {
> $r->uri("/$rest");
> try void &lock_session_id($r, $sessionid);
> return 1;
>   }
>   return undef;
> }
>
> sub redirect ($r: Apache, $session_id: string min 32 max 32) {
>   my $args = $r->args ? '?' . $r->args : '';
>   my $uri = $r->parsed_uri;
>   $redirect = $uri->scheme . '://' . $uri->$hostinfo . '/'. $session_id .
'/' .
> $uri->path . $args;
>   $r->header_out(Location => $redirect);
> }
>
> These session ids are sticky as long as you only use relative paths in
your
> html. Note: You may want to put your images in a directory that's not
covered by
> this handler and use absolute paths...
>
>
> Datum: 22.05.2001 12:03
> An:"mod_perl" <[EMAIL PROTECTED]>
>
>
> Betreff:   Appending Sessionid to all the urls
> Nachrichtentext:
>
>
> Hi all :
>
> I wanted to write a mod URL rewrite program.
>
> I wanted to append session ID to the tail of all the urls of a website.
>
> For instance when i access url http://www.nus.edu.sg?sessionid=dfd3453
> i want all the urls to be appended in all the urls of that website..
>
> My qns is everytime i found that the session id is lost... through the
many
> requests and responses.
> And the new url does not reflect on the client browser..
>
> Any one got any idea.. what wrong with my program??
>
&g

Re: Appending Sessionid to all the urls

2001-05-22 Thread Jay Jacobs 

there's always more then one way...

DocumentRoot "/usr/local/apache_mp/htdocs"
RewriteEngine On
RewriteCond /usr/local/apache_mp/htdocs/%{REQUEST_FILENAME} !-f
RewriteRule /?S=([^/]+)/(.*) /$2 [E=SESSION_ID:$1]

This sets $ENV{SESSION_ID} to the session ID, but also catches it, if by
some bizarre and unlikely circumstance your have a directory that matches
someone's Session ID.  In this case the session is:
http://host.domain.com/S=asdfasdf/path/requested.pl

Using mod rewrite also munges the $r->filename which helped things like
mason that looked for it (don't know if it still does).

Jay


On Tue, 22 May 2001, Joachim Zobel wrote:

> At 18:06 22.05.2001 +0800, you wrote:
> >
> >For instance when i access url
> >http://www.nus.edu.sg?sessionid=dfd3453
> >i want all the urls to be appended in all the urls of that website..
> >
> >My qns is everytime i found that the session id is lost... through the
> >many requests and responses.
> >And the new url does not reflect on the client browser..
> >
> >Any one got any idea.. what wrong with my program??
> >
>
> Wrong concept.
> Use a sid in the URL path like
> http://www.nus.edu.sg/sessionid-dfd3453/this/is/it.pl
> Use mod_rewrite to remove /sessionid-\w+
> Use only relative links.
>
> Thats it. You can get the sessionid by parsing $ENV{REQUEST_URI}
>
> Hth,
> Joachim
>
> --
> "... ein Geschlecht erfinderischer Zwerge, die fuer alles gemietet werden
> koennen."- Bertolt Brecht - Leben des Galilei
>
>

Re: Appending Sessionid to all the urls

2001-05-22 Thread Joachim Zobel 

At 18:06 22.05.2001 +0800, you wrote:
>
>For instance when i access url 
>http://www.nus.edu.sg?sessionid=dfd3453
>i want all the urls to be appended in all the urls of that website..
>
>My qns is everytime i found that the session id is lost... through the 
>many requests and responses.
>And the new url does not reflect on the client browser..
>
>Any one got any idea.. what wrong with my program??
>

Wrong concept.
Use a sid in the URL path like 
http://www.nus.edu.sg/sessionid-dfd3453/this/is/it.pl
Use mod_rewrite to remove /sessionid-\w+
Use only relative links.

Thats it. You can get the sessionid by parsing $ENV{REQUEST_URI}

Hth,
Joachim

--
"... ein Geschlecht erfinderischer Zwerge, die fuer alles gemietet werden
koennen."- Bertolt Brecht - Leben des Galilei

Re: Appending Sessionid to all the urls

2001-05-22 Thread Michael . Jacob 

Hi ktgoh,

you don't tell the browser about the session id. Why?

To use a session id that's appended to the URL is hard work - it has to be
maintaned in every module and html file. So you must append the session id to
every URL in every page and every piece of code that produces html. Ther is no
way to automatically "keep" the id sticky.

A better way for session ids is to put them in front of the URI:
http://www.nus.edu.sg/dfd3453/some/path/and/file.html

This is (part of) my uri-translation-handler:

sub handler ($r: Apache) {
  # only do initial request - not an internal sub req
  return DECLINED unless $r->is_initial_req;
  return DECLINED unless $r->uri =~ m/$DIR_MATCH/o;

  try my $check_uri = &check_uri($r);
  return DECLINED if $check_uri; # URI contains session id and session object
could be read from the DB

  # else redirect to mangled URI
  try my $session_id = &make_session_id($r);
  &redirect($r, $session_id);
  return REDIRECT;
  # end of main handler
}

sub check_uri ($r: Apache) {
  my $uri = $r->uri || undef;
  my (undef, $sessionid, $rest) = split '/', $uri, 3;
  if ($sessionid && $sessionid =~ m/^[0-9a-h]{32,32}$/o) {
$r->uri("/$rest");
try void &lock_session_id($r, $sessionid);
return 1;
  }
  return undef;
}

sub redirect ($r: Apache, $session_id: string min 32 max 32) {
  my $args = $r->args ? '?' . $r->args : '';
  my $uri = $r->parsed_uri;
  $redirect = $uri->scheme . '://' . $uri->$hostinfo . '/'. $session_id . '/' .
$uri->path . $args;
  $r->header_out(Location => $redirect);
}

These session ids are sticky as long as you only use relative paths in your
html. Note: You may want to put your images in a directory that's not covered by
this handler and use absolute paths...


Datum: 22.05.2001 12:03
An:"mod_perl" <[EMAIL PROTECTED]>


Betreff:   Appending Sessionid to all the urls
Nachrichtentext:


Hi all :

I wanted to write a mod URL rewrite program.

I wanted to append session ID to the tail of all the urls of a website.

For instance when i access url http://www.nus.edu.sg?sessionid=dfd3453
i want all the urls to be appended in all the urls of that website..

My qns is everytime i found that the session id is lost... through the many
requests and responses.
And the new url does not reflect on the client browser..

Any one got any idea.. what wrong with my program??

Thanks for your help...

sub handler {

 my $r = shift;
 my $url = $r->uri;
 my $sessID;

 if($url =~ m/sessionid/){
  $sessID= getSessionID($url);
 }

 my $append =?sessionid=$sessID
 my $newURL = $r->uri($url$append);

 return DECLINED;

}

sub getSessionID{
 my  $url = $_[0];
 my  $position = rindex($url,"=")+1;
 my  $sessID = substr($url,$position,8);
 return $sessID;
 }


Regards
kheeteck