At 02:42 15.11.2002, Sascha Cunz said:
--------------------[snip]--------------------
>This sounds like a pretty good idea to work around that problem :-)
>
>Does this system work, if the user decides to split "one session" accross
>multiple "Browser-Windows", i.e. the uses the "Open in new window"-Function
>of most browsers?
--------------------[snip]--------------------
Halfway it does (I told you there's more to it...)
There are two scenarios:
a) user has two logins in two browser windows at the same time:
The cookie "name" is not hard coded but generated as well, just as
"UTOKEN_1234" or something. The cookie name is also stored in session data.
b) user has one login but two different windows:
Generally this presents a problem as an application usually has a "state"
that's reflected in session data. What needs to be done is:
a) detect that the user has "split" the application
b) split session data, or create a new session.
As for (a) - we chose out application windows to be generally non-cacheable
(at least those using this mechanism). Thus, opening a new window will
rerun the code, transmitting an altered user-token cookie to the browser.
The reloaded window will simply continue the application from it's current
state, and alter the user-token cookie.
As for (b) it depends on the content of the "original" page. If this is a
form it's easy to detect that the form is not the "most recent" (out forms
generally have a "serial number" to avoid duplicate actions through form
reloads). If the form that is detected as being "reloaded" is not the last
form the application has seen we decide that the application has been
"split up" - we simply close the session and require the user to log in
anew (in this window only, of course), now using a different session ID.
If the cloned window is _not_ a form I have no solution yet - all our apps
are form-based.
One last word to "close the session" - this is done by calling
session_write_close() and redirecting the browser to the application entry
page, now _not_ using SID (session has already closed, no SID available).
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
