Loading ...
Sorry, an error occurred while loading the content.

Enforcing Cookieless Sessions

Expand Messages
  • Ben Soares
    Hi, We ve been using Apache::ASP to develop one of our projects for the last couple of months so far with relative success. Thanks to the Apache::ASP
    Message 1 of 5 , May 10, 2002
    • 0 Attachment
      Hi,

      We've been using Apache::ASP to develop one of our projects for the last
      couple of months so far with relative success. Thanks to the Apache::ASP
      developers!

      One question, I know you can have cookieless sessions if the browser has
      cookies disabled, but I would like to know if you can *force* cookieless
      sessions.

      Basically, I am ensuring that the "session-id=$Session->{SessionID}" appears
      in each link/form from each page, and I have set SessionQuery in the
      httpd.conf file (although I have not set SessionQueryParse or
      SessionQueryMatch -- I don't think I need to since I'm doing it "manually").

      This all seems to work fine except for my problem: I want a user to be able
      to login again (different user) and start with a new Session. Unfortunately,
      Apache::ASP seems to be setting a cookie regardless and this is interfering
      with my new Session. Naturally I cannot ensure users will have cookies
      disabled in their browser.

      So, to sum up: is there a way to *stop* Apache::ASP setting the session-id
      cookie?

      Thanks for any help,

      Ben
      --
      Ben Soares tel: +44 (0)131-651 1238
      EDINA, Edinburgh University Data Library fax: +44 (0)131-650 3308
      Main Library Building, George Square email: ben.soares@...
      Edinburgh EH8 9LJ, Scotland, UK www: http://edina.ac.uk/


      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    • Joshua Chamas
      ... You can use the $Session- Abandon method when a user logs out, or can clear the session when processing the login as in %$Session = (); # then set user
      Message 2 of 5 , May 13, 2002
      • 0 Attachment
        Ben Soares wrote:
        >
        > ...
        > One question, I know you can have cookieless sessions if the browser has
        > cookies disabled, but I would like to know if you can *force* cookieless
        > sessions.
        >
        > Basically, I am ensuring that the "session-id=$Session->{SessionID}" appears
        > in each link/form from each page, and I have set SessionQuery in the
        > httpd.conf file (although I have not set SessionQueryParse or
        > SessionQueryMatch -- I don't think I need to since I'm doing it "manually").
        >
        > This all seems to work fine except for my problem: I want a user to be able
        > to login again (different user) and start with a new Session. Unfortunately,
        > Apache::ASP seems to be setting a cookie regardless and this is interfering
        > with my new Session. Naturally I cannot ensure users will have cookies
        > disabled in their browser.
        >

        You can use the $Session->Abandon method when a user logs out, or can
        clear the session when processing the login as in

        %$Session = ();
        # then set user authentication data

        If neither of these cover your case, then we can probably get for you
        a configuration like:

        PerlSetVar SessionQueryForce 1

        I can see the value in the configuration, but won't do it unless
        there is the need.

        --Josh
        _________________________________________________________________
        Joshua Chamas Chamas Enterprises Inc.
        NodeWorks Founder Huntington Beach, CA USA
        http://www.nodeworks.com 1-714-625-4051

        ---------------------------------------------------------------------
        To unsubscribe, e-mail: asp-unsubscribe@...
        For additional commands, e-mail: asp-help@...
      • Ben Soares
        Hello, I ve tried the latter suggestion with some success, however I still get problems especially when you reload a page without the session-id. Ideally I
        Message 3 of 5 , May 17, 2002
        • 0 Attachment
          Hello,

          I've tried the latter suggestion with some success, however I still get
          problems especially when you reload a page without the session-id. Ideally I
          would like the absence of a session-id to really reforce a login, but it's
          still picking up any cookie that may have been set. This could be a problem
          with public access labs where we have no control over what might be set on
          browsers, and different users might be wandering up to log in after each
          other (and naturally failing to logout). Of course we can't stop idiots
          wandering off without logging out with someone else picking up their session
          immediately, but I'd feel safer without the cookie set!

          Thanks!

          Ben


          On Tue, 14 May, 2002 05:14, Joshua Chamas wrote:
          >
          > You can use the $Session->Abandon method when a user logs out, or can
          > clear the session when processing the login as in
          >
          > %$Session = ();
          > # then set user authentication data
          >
          > If neither of these cover your case, then we can probably get for you
          > a configuration like:
          >
          > PerlSetVar SessionQueryForce 1
          >
          > I can see the value in the configuration, but won't do it unless
          > there is the need.
          >
          > --Josh
          > _________________________________________________________________
          > Joshua Chamas Chamas Enterprises Inc.
          > NodeWorks Founder Huntington Beach, CA USA
          > http://www.nodeworks.com 1-714-625-4051
          >
          > ---------------------------------------------------------------------
          > To unsubscribe, e-mail: asp-unsubscribe@...
          > For additional commands, e-mail: asp-help@...

          --
          Ben Soares tel: +44 (0)131-651 1238
          EDINA, Edinburgh University Data Library fax: +44 (0)131-650 3308
          Main Library Building, George Square email: ben.soares@...
          Edinburgh EH8 9LJ, Scotland, UK www: http://edina.ac.uk/


          ---------------------------------------------------------------------
          To unsubscribe, e-mail: asp-unsubscribe@...
          For additional commands, e-mail: asp-help@...
        • Joshua Chamas
          ... ... This feature will be implemented with the SessionQueryForce config in Apache::ASP 2.37, release date to be determined. Let me know if you want my dev
          Message 4 of 5 , Jun 28, 2002
          • 0 Attachment
            Ben Soares wrote:
            > Hello,
            >
            > I've tried the latter suggestion with some success, however I still get
            > problems especially when you reload a page without the session-id. Ideally I
            > would like the absence of a session-id to really reforce a login, but it's
            > still picking up any cookie that may have been set. This could be a problem
            > with public access labs where we have no control over what might be set on
            > browsers, and different users might be wandering up to log in after each
            ...

            This feature will be implemented with the SessionQueryForce
            config in Apache::ASP 2.37, release date to be determined.
            Let me know if you want my dev version ahead of time.

            --Josh
            _________________________________________________________________
            Joshua Chamas Chamas Enterprises Inc.
            NodeWorks Founder Huntington Beach, CA USA
            http://www.nodeworks.com 1-714-625-4051


            ---------------------------------------------------------------------
            To unsubscribe, e-mail: asp-unsubscribe@...
            For additional commands, e-mail: asp-help@...
          • Ben Soares
            Thanks very much! This will definitely tie up one of our several loose ends. We can probably wait for the 2.37 release since we re only in trial at the
            Message 5 of 5 , Jun 28, 2002
            • 0 Attachment
              Thanks very much! This will definitely tie up one of our several loose
              ends. We can probably wait for the 2.37 release since we're only in trial
              at the moment, and not service.

              Cheers,

              Ben


              On Friday 28 June 2002 21:30, Joshua Chamas wrote:
              > Ben Soares wrote:
              > > Hello,
              > >
              > > I've tried the latter suggestion with some success, however I still get
              > > problems especially when you reload a page without the session-id.
              > > Ideally I would like the absence of a session-id to really reforce a
              > > login, but it's still picking up any cookie that may have been set.
              > > This could be a problem with public access labs where we have no
              > > control over what might be set on browsers, and different users might
              > > be wandering up to log in after each
              >
              > ...
              >
              > This feature will be implemented with the SessionQueryForce
              > config in Apache::ASP 2.37, release date to be determined.
              > Let me know if you want my dev version ahead of time.
              >
              > --Josh
              > _________________________________________________________________
              > Joshua Chamas Chamas Enterprises Inc.
              > NodeWorks Founder Huntington Beach, CA USA
              > http://www.nodeworks.com 1-714-625-4051
              >
              >
              > ---------------------------------------------------------------------
              > To unsubscribe, e-mail: asp-unsubscribe@...
              > For additional commands, e-mail: asp-help@...

              --
              Ben Soares tel: +44 (0)131-651 1238
              EDINA, Edinburgh University Data Library fax: +44 (0)131-650 3308
              Main Library Building, George Square email: ben.soares@...
              Edinburgh EH8 9LJ, Scotland, UK www: http://edina.ac.uk/


              ---------------------------------------------------------------------
              To unsubscribe, e-mail: asp-unsubscribe@...
              For additional commands, e-mail: asp-help@...
            Your message has been successfully submitted and would be delivered to recipients shortly.