NYCPHP Meetup

[nycphp-talk] to rewrite or not to rewrite URLs...

David Mintz dmintz at panix.com
Tue Aug 5 17:38:02 EDT 2003


Now you got me thinking again (damn!). I have in place right now a sort of
poor-man's de facto session time-out. I am using a private directory to
save sessions (and wrapping the script to run as me in cgi mode, and
setting file permission restrictively, because it's a shared server and
there are security considerations). Old serialized session files
accumulate indefinitely unless I do something. So I have a daily cron
job/shell script that deletes all the session files whose last access
times are greater than x. I figure this is better than nothing. OTOH I
will give your code a look.

Interesting, two of our gurus (Hans and you) take different approaches to
this.  How about a debate, guys?

On Tue, 5 Aug 2003, Analysis & Solutions wrote:

> Hi Folks:
>
> On Fri, Jul 18, 2003 at 02:53:35PM -0400, David Mintz wrote:
> >
> > Do you guys use URL rewriting to ensure that the session id is propagated
> > from page to page even if the user refuses your cookie?
>
> Yes.  It guarantees access to your resources.  I don't even bother with
> cookies, because managing them differs slightly from browser to browser.
> Even if users accept one cookie from you, there's no guarantee they'll
> continue to do so, thus, it's difficult to manage sessions reliably with
> them.
>
>
> > I've read somewhere that it can cause 'confusion' or 'problems' if the
> > user bookmarks a URL with a session id in the query string, and tries to
> > access the page after the session is over, but those readings did not say
> > whether you should really worry about it or what the worst case scenario
> > is.
>
> This can happen with cookie based sessions too if the cookie hasn't
> expired or been deleted by the next time the user arrives.
>
> It's not a problem if you structure your system effectively.  The way to
> handle situations like these is to have your session system keep track of
> the last time the session was used.  If it's longer than your timeout,
> kill the old session and start a new one... and if the current page
> requires authorization, don't show them the stuff.
>
> I just whipped up a new session manager which takes advantage of PHP's
> transparent session id propagation, plus some other handy tricks.  It's
> available on my website:
>    http://www.analysisandsolutions.com/software/session-simple/
>
> I'd love to get some peer review on the program, so please check it out.
>
> Enjoy,
>
> --Dan
>
> --
>      FREE scripts that make web and database programming easier
>            http://www.analysisandsolutions.com/software/
>  T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
>  4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>


---
David Mintz
http://davidmintz.org/
Email: See http://dmintzweb.com/whitelist.php first!

Decibels of sound pressure employed by a new "thermoacoustic" refrigerator: 190
Decibels of sound pressure sufficient to ignite a person's hair: 165

	-- Harper's Index, February 2003



More information about the talk mailing list