"Jeffrey W. Baker" wrote:
>
> On Tue, 9 May 2000, Tom Mornini wrote:
>
> > The cool thing about this is that relative links need not be rewritten at
> > all, the browser handles it!
>
> This last part is a great point, and one that people would do well to
> heed. I hadn't considered the implication that relative URLs would work
> this way, but they do. I'm excited!
>
> I like to use session ids at the beginning of the URL for another
> reason: the users understand it. For example, if they visit a URL:
>
> https://secretstartup.com/home/abcdef0987654321/foo/bar/baz/quux
>
> A lot of users are advanced enough to chop off part of the URL to get what
> they want. With the session ID at the root of the URL, this is easier to
> do. With this URL,
>
> https://secretstartup.com/foo/bar/baz/quux/abcdef0987654321
>
> The users are likely to either not try, or to get it wrong.
>
> This works on my site, because the urlspace is completely
> ficticious. There is no disk path /home/abcdef0987654321, in fact there
> is no /home, nor even a document root at all. I just threw in the /home
> to make the URL look a little more friendly.
Does the site revert to cookie based sessions if the sessionID is
chopped off? What is the purpose of chopping off the sessionID?
Prettier bookmarks?
At my site, I just made the executive decision (w/ the backing on my
project manager of course :-) that cookies would need to be turned on.
The cookie just contains a customerID, registered status and a MD5 hash
to make sure they don't screw around with the cookie contents. It has an
expire time of 1 year, so that a user only has to log in once. I have to
do this in my case because they get non-watermarked images if they have
registered. :-) If they don't accept the cookie, then they only get
watermarked images.
This customerID is an index into my database, from which everything else
is pulled. But, I actually have written code so that I can use PATH_INFO
also. I had to do this because I have many sites (ie. domains) that all
use a single _secure_ domain for ordering. So I cobbled together some
code to A) enable me to pull the correct site's template and B) make
sure they still can't fake being another user.
To get back on topic, it would be extrmely useful for me to have a
seamless model I could use everywhere. I have no problem with cookies. I
personally have cookies turned on, but refuse cookies not coming from
the site I'm visiting (think DoubleClick, etc...). But it would also be
a major plus to seemlessly be able to detect if a user is not accepting
cookies and start using URL tracking. Servlets have really got it made
in this respect.
I would be very interested to get an idea of how many ordinary users
surf with cookies turned off. I just decided to force people to have
them. Call me evil, but I got it past the boss. :-) Does anyone have
reliable information about this topic?
--
Drew Taylor
Vialogix Communications, Inc.
501 N. College Street
Charlotte, NC 28202
704 370 0550
http://www.vialogix.com/