Your skill will accomplish what the force of many cannot |
|
PerlMonks |
Re: Tired of session/cookie problemby ejf (Hermit) |
on Apr 25, 2002 at 13:54 UTC ( [id://161950]=note: print w/replies, xml ) | Need Help?? |
A nice table you have there :) It is worth noting, however, that your solution to "Protect against malicious user enter into someone else's active session" is spotty. Yes, you can mark in a database whether or not a browser supports cookies (or has them disabled or whatever), but if it HAS them disabled and the person using it is sending the URL to a friend, the session is now for two people. Basically, to work right in every instance, this system /needs/ cookies, and is therefore subject to the constraints for the cookie-based approach.
It is also difficult to "just remember" an URL in this case; It is certainly easier to remember Maybe a system where cookie-based session-management is the standard and your system is optionally avaiable (in case cookies are disabled) would be good; This does not solve your problem with multiple sessions in multiple windows. One way this could be achieved is to let the user decide at the login screen whether or not an additional session should be created; it really is not all that common that one single user will want to work on two accounts in the same browser; as your example points out, this functionality is most suited for the administrator. He could also just open another browser and be done with it. Ultimately, it all depends on the application you need this session management for. For most things, cookie-based authentication is sufficient (after all, many browsers now let the user decide which cookies to accept and which to drop), and for where it isn't, you can transparently exchange it with your scheme or even use a combination of both. Finally, I personally much prefer static-looking URLs (for remembering) and short paths (so that the whole url fits into the address-bar). But that's just me ;)
In Section
Meditations
|
|