[nycphp-talk] to rewrite or not to rewrite URLs...
dmintz at panix.com
Tue Aug 5 17:38:02 EDT 2003
Now you got me thinking again (damn!). I have in place right now a sort of
poor-man's de facto session time-out. I am using a private directory to
save sessions (and wrapping the script to run as me in cgi mode, and
setting file permission restrictively, because it's a shared server and
there are security considerations). Old serialized session files
accumulate indefinitely unless I do something. So I have a daily cron
job/shell script that deletes all the session files whose last access
times are greater than x. I figure this is better than nothing. OTOH I
will give your code a look.
Interesting, two of our gurus (Hans and you) take different approaches to
this. How about a debate, guys?
On Tue, 5 Aug 2003, Analysis & Solutions wrote:
> Hi Folks:
> On Fri, Jul 18, 2003 at 02:53:35PM -0400, David Mintz wrote:
> > Do you guys use URL rewriting to ensure that the session id is propagated
> > from page to page even if the user refuses your cookie?
> Yes. It guarantees access to your resources. I don't even bother with
> cookies, because managing them differs slightly from browser to browser.
> Even if users accept one cookie from you, there's no guarantee they'll
> continue to do so, thus, it's difficult to manage sessions reliably with
> > I've read somewhere that it can cause 'confusion' or 'problems' if the
> > user bookmarks a URL with a session id in the query string, and tries to
> > access the page after the session is over, but those readings did not say
> > whether you should really worry about it or what the worst case scenario
> > is.
> This can happen with cookie based sessions too if the cookie hasn't
> expired or been deleted by the next time the user arrives.
> It's not a problem if you structure your system effectively. The way to
> handle situations like these is to have your session system keep track of
> the last time the session was used. If it's longer than your timeout,
> kill the old session and start a new one... and if the current page
> requires authorization, don't show them the stuff.
> I just whipped up a new session manager which takes advantage of PHP's
> transparent session id propagation, plus some other handy tricks. It's
> available on my website:
> I'd love to get some peer review on the program, so please check it out.
> FREE scripts that make web and database programming easier
> T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
> 4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409
> talk mailing list
> talk at lists.nyphp.org
Email: See http://dmintzweb.com/whitelist.php first!
Decibels of sound pressure employed by a new "thermoacoustic" refrigerator: 190
Decibels of sound pressure sufficient to ignite a person's hair: 165
-- Harper's Index, February 2003
More information about the talk