It seems like it would be easier to register a proc for /* to a special procedure that does all routing. The procedure could check the URL for what looks like a ssn# and redirect/generate SID if necessary. The procedure would then either do an ns_returnfile (in the case of a static doc) or ns_adp_parse the contents of .adp files, or execute a procedure, etc.
You'd still have to use relative URLs with this method, though. Seems easier to either use cookies for the session id, or pass around the session id as a CGI parameter. You could use a simple proc to generate URLs such that the session ID would get tacked onto every one, or some such thing. We use something somewhat similar to this. Every page includes a standard .adp header which checks for the presence of a particular CGI parameter. This could probably also be done via a filter if you wanted. We use an include file since you can pass arguments to it -- some .adp files have stricter requirements than others regarding whether or not the CGI param HAS to be present, or what value it has to take on. As far as hijacking goes, whatever you do, you're probably going to have to be careful that at least part of the session id is randomly generated, unique, and short-lived. This way, if someone steals someone elses' session ID, it's only good for a limited period of time. It's not uncommon to use a sequence (for uniqueness) with some random digits added on. Have fun, Rusty On Thu, 27 Dec 2001, Wojciech Kocjan wrote: > Hello. > > I realize that this idea is quite weird and probably useless, but what > if sessions on AOLserver would be implemented in this weird way: > > / created/gets (cookie - if available) a SID and redirects to > /ssn0123456789abcde/index.adp which is the real page from documentroot > > this way, tracking sessions can be done via an url - assuming that noone > will use [ns_conn urlv|urlc] in unproper way and won't redirect > forms/links as /link/to/page.adp. > > This could be written to handle only /ssn* and / (to get the cookie > and/or redirect to session-tracked url). The problem is that this won't > work with registered procs and would require distinguishing ADP files > and change /directory/ to /directory/index.adp and so on. But it is wort > h considering... > > -- > WK > ------------------------------------------ Rusty Brooks : http://www.rustybrooks.org/ Spewing wisdom from every orifice ------------------------------------------
