Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Adding "state" to HTTP

by merlyn (Sage)
on Aug 03, 2000 at 17:09 UTC ( #25967=note: print w/replies, xml ) Need Help??


in reply to Encrypting or Hiding Certain Info in a URL

Since HTTP is a stateless protocol, the mechanisms for adding "state" (such as "logged in") have to use one or more of the following methods:
  • Mangled URLs (including a session key somewhere in the URL)
  • Basic Authentication (login box, usually managed in the .htaccess file)
  • Hidden fields (if your application goes from one form to another)
  • Cookies (but be sure to provide a way to logout easily, or time it out)
  • Firing off a separate web server for each session (useful in low-volume applications)
Each has advantages and disadvantages. Be sure to steer clear of anyone that advises you to use any of the following:
  • IP address, even if attached to browser type (it's not unique for proxies, and can even change within a single session)
  • The Referer (accessed through $ENV{HTTP_REFERER}) which can be trivially faked and is stripped automatically at some corporate firewalls
  • Any kind of client-side session management using Java or Javascript (some firewalls actually strip this stuff, making your site useless to them, and all security-conscious people have this stuff turned off anyway)
That should get you started. For more information on some of the session topics, see my WebTechniques Perl column archives.

-- Randal L. Schwartz, Perl hacker

Replies are listed 'Best First'.
Re: Adding "state" to HTTP
by hakkr (Chaplain) on Nov 26, 2001 at 17:40 UTC
    LDAP servers, MySQL and DBM or even plain text files can also be mighty useful for session management. Like the man says username or email address should be used to retrieve data.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://25967]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (7)
As of 2020-03-29 10:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    To "Disagree to disagree" means to:









    Results (169 votes). Check out past polls.

    Notices?