in reply to question on program flow and checking for cgi-session
1. If your script sends a session id, everyone who visit the script would get a session id.
Answers are reversed to make it a little easier.
3. Usually the session id is sent throgh the answer http header as a cookie. It is designed to be a 32 byte random number, that makes a hijack of someone elses session more difficult. Then when a user progresser through the site the user sends back the 32 byte number to mark a valid session. So when the script receives a sessionnumber it should not send a new sessioncookie. The received cookie is set up to compare to sessiondata stored on the server usually in a tmp-file.
2. The session file should just hold a user_id, so if the session-tmp-file exists on a particular session the user_id could be retrieved through the file.
Also if you don't want to have a sessionfile you could hold the session information in the db.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re^2: question on program flow and checking for cgi-session
by cranberry13 (Beadle) on Jul 14, 2004 at 17:51 UTC | |
by JanneVee (Friar) on Jul 14, 2004 at 17:56 UTC |