[EMAIL PROTECTED] <> schrieb am Freitag, 4. November 2005 13:35: > J. Erik Heinz <[EMAIL PROTECTED]> words > on 04.11.2005 - 13:06 (+0100 Zulu-Time): > > [ transfering key from one to another page ? ] > >> Sure I could attach it as get-parameter. But with this mechanism i >> annul the whole security mechanism... I offer the client more >> information than he need.
You must pass the session id to the user so that he can pass it on to you on your next request. This issue is not agavi-related or a php problem, but is due to the stateless nature of the http protocol. The security (and comfort) benefit is that you don't have to pass all persistant data as well as username/password for each request. There are several ways of passing a session token: - pass it as a get parameter (hidden form field for forms) - use a cookie - use a dedicated virtual host for each user. this involves creating a virtual host for each user and keeping him on the domain userid.yourdomain.tld, so this is the least preferred solution of those three. Cookie is the method that is preferred (and regarded as more secure), as it keeps the session token out of the url, but you can use a get parameter as fallback if you desire and you can create an agavi controller that does all of this for you [check wether the cookie was set successfully and otherwise append the session token]. Note that you should recreate the session token after a successful login attempt to prevent some kinds of session hijacking attacks. Note that there is no need to call the session-save/-update etc. functions manually as php calls them when appropriate. Your only job is to make shure that sessions are enabled in the config file and that the session token gets passed on from one request to the other. > I though a little bit about that. I could store the key in a database > table, together with the information of the userid. But with this the > whole session table would be obsolent. Why should I use 2 tables that > holds information about the session for a user. I could use one table > with all information. you don't have to. but you will have to pass one single identifying token with each request. > > But on the other side, i think the session-management in agavi is not > implemented for fun. There should be some usefull functions, but i > dont see them yet. Perhaps a smal tutorial or explanation > would be helpful :) Session management is "only" implemented so that you can change the location where session-data is stored from the php-default location in the filesystem to a database storage of your choice. There is no need to call any of the session handling functions explicitly - to the contrary, this might rather be contraproductive. > > Regards erik hope that helped at least a little. regards felix -- Felix Gilcher Head of IT Development Exozet Berlin GmbH Rotherstraße 20 10245 Berlin _______________________________________________ agavi-dev mailing list [email protected] http://labworkz.com/cgi-bin/mailman/listinfo/agavi-dev
