Mike Kear wrote: > > We'll have a two-web server clustered installation, with another dedicated > database server running SQLServer2005. This is a relatively low traffic, > but high dollar volume site (as in 6-figure pricing) and reason for using > the server cluster is to get high reliabilty. > > > To remind you of the restrictions: > > - No cookies. At all. None. Don't argue - DONT USE COOKIES > (yessir!!). > - No Sticky sessions. > - No Client variables. (my client had a bad experience with them in a > previous life and wont be budged on it) > - New session token issued with each page view to prevent people > picking up old sessions (or even worse - someone else's sessions) with > bookmarks and URLS emailed between users > > That doesnt leave me with a lot of options, so here's what I've come up > with - do you folks think this is going to work? > > I'm planning to use UUID() to create the tokens.
UUIDs are not random, they are predictable. > *OnRequestStart:* > > - Read the UUID from the URL. (if no UUID create a new 'session') > - Retrieve the WDDX packet of the state from the DB > - Has the session expired (i.e. is the time stamp more than 30 minutes > old?) > - If it's expired, delete the old session and create a new one. > - Issue a new UUID for this 'session'. > > *Process the rest of the page. > * > > *OnRequestEnd:* > > - Add UUID to the page request > - Serialise the 'session' state into WDDX packet > - Add a timestamp (i.e. now()) > - Write to DB record. How is this going to work: - if the user opens more then one page from one page? For instance through frames, but could also be caused by a click, back, click sequence. - if requests cross eachother? Will they overwrite eachothers session variables? - how about pages that never hit OnRequestEnd (cfabort, cflocation) I don't see any reason why it wouldn't work to some extend. But I do not believe it will be anyhere as secure as the HTTP Digest Authentication that is built into your webserver and browser. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271007 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
