Dave Hodgkinson writes:
>
> "Jamie O'Shaughnessy" <[EMAIL PROTECTED]> writes:
>
> >
> > On 11 Oct 99 15:05:23 +0100, you wrote:
> >
> > >I was actually looking at a PerlTransHandler that I'd drop into
> > >my site-wide files that would do something like the following:
> > >
> > > my $uri = $r->uri;
> > > if ($uri =~ s#/@@(\d+)@@/#/#) {
> > > $session = $1;
> > > $r->uri($uri);
> > > $r->header(Session => $session);
> > > }
> > >
> > >This way, a session ID could be generated of the form
> > >
> > > /some/path/@@123456@@/foo/bar.html
> > >
> >
> > But isn't the problem then that if the user cuts & pastes the URL for
> > someone else to use (e.g. mails it to someone), they're also then passing
> > on their authentication?
> >
> > Doesn't this also mean you can only have links from sessioned pages ->
> > non-sessioned pages or sessioned pages -> sessioned pages and not
> > non-sessioned pages -> sessioned pages. I'd classify a non-sessioned page
> > as a static HTML page.
> >
> > Have I missed something here?
>
> Perhaps an MD2 or MD5 hash that has an IP and the username or some
> other bumf as semi-authentication might do the trick?
Don't use the IP address. Some proxy systems have a non-static IP
address for requests coming from the same physical client (some of
AOLs proxies work that way, if I remember correctly...)
Michael
--
Michael Peppler -||- Data Migrations Inc.
[EMAIL PROTECTED] -||- http://www.mbay.net/~mpeppler
Int. Sybase User Group -||- http://www.isug.com
Sybase on Linux mailing list: [EMAIL PROTECTED]
