On Tue, 07 Dec 1999, Joshua Chamas wrote:
> What options are there anyone, for real cookieless sessions,
> without this security risk ??? We can't use IP authentication
> because of proxies/NAT, maybe an SSL cert, but not everyone has
> this, the UserAgent is not stratified enough to mean much,
> so that what, when we are trying to get past cookies here.
I don't think there's a real option for making it secure. However I think
the prefix (or postfix) method used in the Eagle book is a good one. Simply
change the config to:
PerlTransHandler Apache::ASP
and in the handler go:
sub handler {
my $url_session = $r->dir_config('URLSessions');
if ($r->current_callback eq 'PerlLogHandler') {
if ($url_sessions) {
# Get session ID from URL
# store in notes or pnotes
# Remove session ID from URL
}
else {
# Get session ID from cookie
# store in notes or pnotes
}
return $r->push_handler('PerlHandler', \&handler);
}
Am I missing some reason this won't work?
--
<Matt/>
Details: FastNet Software Ltd - XML, Perl, Databases.
Tagline: High Performance Web Solutions
Web Sites: http://come.to/fastnet http://sergeant.org
Available for Consultancy, Contracts and Training.
