Joshua Chamas wrote:
>
> Greg & Gerald,
>
> I wanted to bring an important issue that came up with
> Apache::ASP, how will you deal with search engines indexing
> the session-ids in the URL?
>
> In Apache::ASP, this is handled a couple of ways, first the
> session-id is stored as a query string param, not in the path
> to give a hint at its dynamic nature for smarter search engines
> that respect this, but more important, there is detection that if
> the incoming session is not active, a new session id will
> be assigned to the end user. This will prevent users that come
> from a search engine to all have the same session id.
>
> I don't know how this latter might be dealt with in this case
> except by perhaps some runtime checking with Apache::Session
> for existence, and then a redirect at that time to a new URL
> with the right session-id? The Apache::ASP query string
> SessionQueryParse implementation makes changing the id without
> redirection possible, but at the expense of runtime buffer
> URL parsing for those without cookies.
>
> Also note that a developer should be made aware of the security
> implications associated with off site HTTP_REFERER logging
> of one's session id, so that a developer can work around this
> accordingly. In Apache::ASP, I just am careful to warn about
> this issue in the docs and give a appropriate workaround:
>
> http://www.nodeworks.com/asp/sessions.html
Thanks Joshua
I've looked thorugh Apache::Asp session code and saw your args method.
Ian Kallen suggested a hash of know indexers - which is a good idea -
but has one problem of how to keep this upto date.
A few issues that have been brought to my attention are:
1 - Wherethere to use URI rewriting - and hence the indexer issue - or
to rewrite query args (i.e remove a session arg and place it into a
pnotes entry). So that hopefully clever indexers will ignore the last
bit.
2 - The HTTP_REFERER leaking is an issue that people need to be aware of
- I could make a quick redirect filter that could remove the session
id. This can also help with click throughs etc. I am not aiming to do
any checking of the session id - thats left to something else.
3 - When to redirect to check for cookies etc. i.e. when a client comes
in without any session info do we imediately redirect to try and set a
cookie, and then use that or else do something else. Or only check
after the secound request.
4 - Defining what a session is may be helpfull. What I call a session
others may disagree. I need to scope what I'm going to write -
otherwise I be redoing it every 5 minutes! My spin on a session is
something that needs to be tracked - and I usually only do this when I
have to. Others may define a session as any user interaction within a
small time frame on thier site so that they can track a users click
though (TMTOWTDI on this front I know).
Please send me any comments.
Thanks again Joshua
Greg Cope
>
> Its a nice feature to get right when its finally working. Enjoy!
>
> --Joshua
>
<snippage>
