You should be able to wrap the session creation inside an eval so that if 
the session has expired, your code doesn't break, it silently creates a new 
session behind the scenes.

That's if you have this requirement.

Later,
    Gunther

At 04:50 PM 5/9/00 -0500, Jay Jacobs wrote:

>On Tue, 9 May 2000, Jeffrey W. Baker wrote:
> > Why is the session ID invalid just because they left for a week?  Ask them
> > to authenticate again and take them right back to whatever they were
> > doing.
> >
> > On some sites bookmarking the URL with the session ID embedded is the
> > optimal behavior.
> >
> > -jwb
>
>Session-jumping is a key concern in my application, once a user logs,
>they're going to be looking at sensitive information that pertains
>directly to that user.  Sessions need to be timed and expire in a short
>amount of time (30 mins or so) of inactivity.
>
>If a registered user comes back after that time (from a bookmark or
>refresh), I'm going to redirect them to the login page, and then putting
>them to the originally requested document after they authenticate, just
>like you said.
>
>I just can't see tying in the ip address, or any other mechanism as being
>100% effective for session management...
>
>Jay

Reply via email to