Hello Chris And thank you for your comments and suggestions.
I think that the solution you offer is a great idea. However, in my case, I may not be able to implement it as I, as the webmaster, do not always get the chance to add ‘$next_query_string’ to the a href. Some of the cross-site links are added to discussion forums by the users. I will try making a wrapper function that makes the ‘special sauce’ links in the normal body of the pages. That will just leave the cross site links in the forum. May be I will be able to implement a special solution for the forum… May I asked what ‘CDSM specification’ is… I am not familiar with the term. Thanks again for your comments. They have been really helpful to me. Stefen >From: Chris Shiflett <[EMAIL PROTECTED]> >To: Chris Shiflett <[EMAIL PROTECTED]> >CC: Stefen Lars <[EMAIL PROTECTED]>, [EMAIL PROTECTED] >Subject: Re: [PHP] Cross-Site Sesison ID Propagation >Date: Mon, 08 Jul 2002 17:31:02 -0500 > >I made an error in my explanation (below). The reason you don't want to >include the query string separator character in your variable is to allow >flexibility with the types of URLs you can easily integrate this in with. >My example should have looked like this: > ><a href="http://www.site3.com/?<? echo $next_query_string; ?>">Site 3</a> > >The same conditional logic can be used. This allows for URLs that already >have a query string to be addressed as follows: > ><a href="http://www.site3.com/index.php?task=incoming&;<? echo >$next_query_string; ?>">Site 3</a> > >Happy hacking. > >Chris > >Chris Shiflett wrote: > >>Stefen, >> >>There is no built-in way to do what you are speaking about here (that I >>know of), but there is a pretty easy technique. However, even this >>requires a lot of work to integrate into your existing code, but it will >>ease all future additions and maintenance. >> >>Keep a variable called something like $next_query_string (so you don't >>confuse it with the current one - you can just use $query or something if >>you prefer brevity), and keep up with any and all variables that you may >>need to include in all of your external links to other affiliated sites. >> >>For example: >> >>$next_query_string="sid=1234567"; >> >>For all links where you're wanting to include the session ID in the URL, >>build them as follows: >> >><a href="http://www.site3.com/<? echo $next_query_string; ?>">Site 3</a> >> >>I'm sure this seems like just as much work, but once in place, your >>development will be much easier. >> >>This will also allow you to add conditional logic to which sites receive >>the "special sauce" in their URL. :-) >> >>if (in_array("www.site3.com", $hosts_allow)) >>{ >>?> >><a href="http://www.site3.com/<? echo $next_query_string; ?>">Site 3</a> >><? >>} >>else >>{ >>?> >><a href="http://www.site3.com/";>Site 3</a> >><? >>} >> >>This will also allow you to make global changes to how you handle this >>cross-domain session management. I wrote an extensive CDSM specification >>for the USPS to use (if you ever notice, many of their "services" are not >>in the usps.com domain) that leverages the HTTP protocol to maintain >>*some* security. I would recommend that you also consider passing >>additional information on the URL that is, for example, some encrypted >>information about the client that would at least be somewhat challenging >>to spoof. This would make it more difficult for someone to impersonate >>your user, since more than just the session ID on the URL would be >>necessary. How secure you want to make this needs to be balanced with your >>performance requirements, of course, because checks do take time. >> >>Just a suggestion. >> >>Happy hacking. >> >>Chris >> >>Stefen Lars wrote: >> >>>Hello all fellow-hackers >>> >>>I am working on a project that includes a number of web sites, which are >>>grouped together into one network. Kind of like the 'OSDN' network, of >>>which Slashdot.org, for example, is a member. >> >> >> >> _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
