HTTP Sessions

John Evans evansj at kilnar.com
Fri Dec 7 13:25:41 CST 2001 

On Fri, 7 Dec 2001, Matthew J. Long wrote:

> Seems like there's a lot of different modules for creating sessions
> for a CGI. Can anyone recommend the best way to implement sessions
> considering that I don't have root access to my web server (hosted)?
>

I've done it two seperate ways:
1) Use the session id as part of the URL and parse it in every page.
Creates extra work for the server and is a pain to deal with. You have to
make sure that every page has the SID=39hdi0923h (or whatever) string in
it. You also have to have a way of storing the session data on the server.
I typically use MySQL for that, but a flat file or hashed file should work
just fine.

2) Use the HTTP/1.1 header REMOTE_USER variable to determine who they are
and build a page accordingly. No session files to worry about. The only
problem with this is that every user must be authenticated via HTTP. Not a
big deal, but you have to maintain the .htpasswd file and no one can log
in anonymously unless you explicitly give them a guest account.


After building several sites using both methods, I must say that the
REMOTE_USER method was the simplest. All of the sites had a "user manager"
screen that the admins could use to add/edit/delete users. The hardest
part was getting the .htpasswd file parsed and changed when a user's
password was changed. Adding a user was easy and deleting users was easy,
but the password change bit was a trick. Once that small hurdle was
overcome, the rest of the process was cake.

You can also use cookies, but (like Keary said) people can turn those off.
To avoid those issues, I don't like to use cookies if I can help it.


One note: Regardless of which method you use, make sure you store your
sessions file and password file outside the document root so that people
can't download it via the web browser. If someone gets the session file,
they can hijack other people's sessions and imitate them.


> p.s. Did I miss a meeting yesterday? I don't remember seeing any
> messages on it.

I didn't get any emails on it either. Perhaps next month.

-- 
John Evans
http://evansj.kilnar.com/

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d- s++:- a- C+++>++++ ULSB++++$ P+++$ L++++$
E--- W++ N+ o? K? w O- M V PS+ !PE Y+ PGP t(--) 5-- X++(+++)
R+++ tv+ b+++(++++) DI+++ D++>+++ G+ e h--- r+++ y+++
------END GEEK CODE BLOCK------

More information about the Pikes-peak-pm mailing list