Menu
▾
▴
Re: [Pagekit-users] Session questions
|
From: Boris Z. <bz...@2b...> - 2004-07-13 10:50:26
|
Hi Sean, Am Dienstag 13 Juli 2004 08:28 schrieb Sean Lee: > Hello Group, > > I was wondering why pagekit maintains 2 different cookies and manage 2 > different session data (if I'm right about this). For users that are > logged in and that are not. Is there any reason let it be security, or any > other reason for this? Yes, it is security. For a user that is logged in, the user info is used to validate the cookie. This is to protect you against guessed cookies. Or Login as someone else. > > If I set not to expire cookie by putting (+100y) in config, visitor session > cookie will stay for that long, but when they login and logout they get > reset anyways to new session, so I don't know what is the good thing about > setting it long. And is there any way to have authenticate session to not > to expire? Either you use apache2 with a broken libapreq2 or you did not use pkit_remember just add it to your login as hidden parameter. http://pagekit.org/guide/ch02s04.html > > So much stuff about pagekit session management doesn't really make good > sense to me can someone explain why it was implemented that way > (maintaining 2 different sessions for logged in and not logged in) in > detail? Or is there good practical way to have only one session for > pagekit? Maybe you can modify pkit_auth_credential and pkit_auth_session_key to share the same cookie ( server side ) but you loose the validation, that this cookie is valid only for this user! Also note, that by default the session data from the anon session to the logged user's session is carrired over so there is no loose of data. Just the desired no way back to the anon session. > > Thank you > Sean -- Boris |
