You are viewing a plain text version of this content. The canonical link for it is here.
Posted to asp@perl.apache.org by Ben Soares <Be...@ed.ac.uk> on 2002/05/10 16:31:36 UTC
Enforcing Cookieless Sessions
Hi,
We've been using Apache::ASP to develop one of our projects for the last
couple of months so far with relative success. Thanks to the Apache::ASP
developers!
One question, I know you can have cookieless sessions if the browser has
cookies disabled, but I would like to know if you can *force* cookieless
sessions.
Basically, I am ensuring that the "session-id=$Session->{SessionID}" appears
in each link/form from each page, and I have set SessionQuery in the
httpd.conf file (although I have not set SessionQueryParse or
SessionQueryMatch -- I don't think I need to since I'm doing it "manually").
This all seems to work fine except for my problem: I want a user to be able
to login again (different user) and start with a new Session. Unfortunately,
Apache::ASP seems to be setting a cookie regardless and this is interfering
with my new Session. Naturally I cannot ensure users will have cookies
disabled in their browser.
So, to sum up: is there a way to *stop* Apache::ASP setting the session-id
cookie?
Thanks for any help,
Ben
--
Ben Soares tel: +44 (0)131-651 1238
EDINA, Edinburgh University Data Library fax: +44 (0)131-650 3308
Main Library Building, George Square email: ben.soares@ed.ac.uk
Edinburgh EH8 9LJ, Scotland, UK www: http://edina.ac.uk/
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: Enforcing Cookieless Sessions
Posted by Ben Soares <Be...@ed.ac.uk>.
Thanks very much! This will definitely tie up one of our several loose
ends. We can probably wait for the 2.37 release since we're only in trial
at the moment, and not service.
Cheers,
Ben
On Friday 28 June 2002 21:30, Joshua Chamas wrote:
> Ben Soares wrote:
> > Hello,
> >
> > I've tried the latter suggestion with some success, however I still get
> > problems especially when you reload a page without the session-id.
> > Ideally I would like the absence of a session-id to really reforce a
> > login, but it's still picking up any cookie that may have been set.
> > This could be a problem with public access labs where we have no
> > control over what might be set on browsers, and different users might
> > be wandering up to log in after each
>
> ...
>
> This feature will be implemented with the SessionQueryForce
> config in Apache::ASP 2.37, release date to be determined.
> Let me know if you want my dev version ahead of time.
>
> --Josh
> _________________________________________________________________
> Joshua Chamas Chamas Enterprises Inc.
> NodeWorks Founder Huntington Beach, CA USA
> http://www.nodeworks.com 1-714-625-4051
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
> For additional commands, e-mail: asp-help@perl.apache.org
--
Ben Soares tel: +44 (0)131-651 1238
EDINA, Edinburgh University Data Library fax: +44 (0)131-650 3308
Main Library Building, George Square email: ben.soares@ed.ac.uk
Edinburgh EH8 9LJ, Scotland, UK www: http://edina.ac.uk/
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: Enforcing Cookieless Sessions
Posted by Joshua Chamas <jo...@chamas.com>.
Ben Soares wrote:
> Hello,
>
> I've tried the latter suggestion with some success, however I still get
> problems especially when you reload a page without the session-id. Ideally I
> would like the absence of a session-id to really reforce a login, but it's
> still picking up any cookie that may have been set. This could be a problem
> with public access labs where we have no control over what might be set on
> browsers, and different users might be wandering up to log in after each
...
This feature will be implemented with the SessionQueryForce
config in Apache::ASP 2.37, release date to be determined.
Let me know if you want my dev version ahead of time.
--Josh
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks Founder Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: Enforcing Cookieless Sessions
Posted by Ben Soares <Be...@ed.ac.uk>.
Hello,
I've tried the latter suggestion with some success, however I still get
problems especially when you reload a page without the session-id. Ideally I
would like the absence of a session-id to really reforce a login, but it's
still picking up any cookie that may have been set. This could be a problem
with public access labs where we have no control over what might be set on
browsers, and different users might be wandering up to log in after each
other (and naturally failing to logout). Of course we can't stop idiots
wandering off without logging out with someone else picking up their session
immediately, but I'd feel safer without the cookie set!
Thanks!
Ben
On Tue, 14 May, 2002 05:14, Joshua Chamas wrote:
>
> You can use the $Session->Abandon method when a user logs out, or can
> clear the session when processing the login as in
>
> %$Session = ();
> # then set user authentication data
>
> If neither of these cover your case, then we can probably get for you
> a configuration like:
>
> PerlSetVar SessionQueryForce 1
>
> I can see the value in the configuration, but won't do it unless
> there is the need.
>
> --Josh
> _________________________________________________________________
> Joshua Chamas Chamas Enterprises Inc.
> NodeWorks Founder Huntington Beach, CA USA
> http://www.nodeworks.com 1-714-625-4051
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
> For additional commands, e-mail: asp-help@perl.apache.org
--
Ben Soares tel: +44 (0)131-651 1238
EDINA, Edinburgh University Data Library fax: +44 (0)131-650 3308
Main Library Building, George Square email: ben.soares@ed.ac.uk
Edinburgh EH8 9LJ, Scotland, UK www: http://edina.ac.uk/
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org
Re: Enforcing Cookieless Sessions
Posted by Joshua Chamas <jo...@chamas.com>.
Ben Soares wrote:
>
> ...
> One question, I know you can have cookieless sessions if the browser has
> cookies disabled, but I would like to know if you can *force* cookieless
> sessions.
>
> Basically, I am ensuring that the "session-id=$Session->{SessionID}" appears
> in each link/form from each page, and I have set SessionQuery in the
> httpd.conf file (although I have not set SessionQueryParse or
> SessionQueryMatch -- I don't think I need to since I'm doing it "manually").
>
> This all seems to work fine except for my problem: I want a user to be able
> to login again (different user) and start with a new Session. Unfortunately,
> Apache::ASP seems to be setting a cookie regardless and this is interfering
> with my new Session. Naturally I cannot ensure users will have cookies
> disabled in their browser.
>
You can use the $Session->Abandon method when a user logs out, or can
clear the session when processing the login as in
%$Session = ();
# then set user authentication data
If neither of these cover your case, then we can probably get for you
a configuration like:
PerlSetVar SessionQueryForce 1
I can see the value in the configuration, but won't do it unless
there is the need.
--Josh
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks Founder Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051
---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org