Thread: [Phplib-users] No session_id or cookie if not authenticated.. how?
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
phplib-users
|
From: Aric C. <gre...@pe...> - 2002-12-03 20:59:55
|
OK this may be simple but its eluding me: I have a single entry page for my application. I want parts of it protected, depending on what parameters are passed to = it. The unprotected parts I want accessible and not have a cookie set or a = session id put into all the urls. IE, having the default auth to = 'nobody' isnt what I want. How can I get it to *only* make a cookie/add session id's when somebody = has actualy really logged in? |
|
From: <li...@ye...> - 2002-12-03 22:46:52
|
Quoting Aric Caley <gre...@pe...>: > OK this may be simple but its eluding me: > > I have a single entry page for my application. > > I want parts of it protected, depending on what parameters are passed to > it. > > The unprotected parts I want accessible and not have a cookie set or a > session id put into all the urls. IE, having the default auth to 'nobody' > isnt what I want. > > How can I get it to *only* make a cookie/add session id's when somebody has > actualy really logged in? > Easiest way would be to only use page_open on pages you want to protect. The session would only be created first time someone hit one of these pages and auth timeouts could occur more often but it could work depending on your application. matt - |
|
From: Richard A. <rh...@ju...> - 2002-12-03 23:53:53
|
At 17:47 -0500 3/12/02, li...@ye... wrote: >Easiest way would be to only use page_open on pages you want to protect. > >The session would only be created first time someone hit one of these pages and >auth timeouts could occur more often but it could work depending on your >application. And if a non-cookie user leaves the protected part of the site (e.g. they click on the Home button) they will lose their session. That would be a disaster in a shopping cart environment, but may not matter in other instances. ...R. |
|
From: Aric C. <gre...@pe...> - 2002-12-04 00:11:58
|
And its a shopping cart I work on. All pages are accessed through one php script, index.php. What page is actualy shown to the user depends on what is passed to the script (IE, "index.php?page=cellphones/nokia"). What I want to do is just like having the default auth to 'nobody', but I dont want any cookies sent or session_id's in urls until the user logs in, or actualy also until a user does something like add an item to the cart. I guess what I have to do is check my parameters first and then call page_open() only when needed, but then like you say the session gets lost when a user goes to an unprotected area. So I'd have to also check if the user already has a session and call page_open() if so. This is oh-so-confusing. ----- Original Message ----- From: "Richard Archer" <rh...@ju...> To: <php...@li...> Sent: Tuesday, December 03, 2002 3:47 PM Subject: Re: [Phplib-users] No session_id or cookie if not authenticated.. how? > At 17:47 -0500 3/12/02, li...@ye... wrote: > > >Easiest way would be to only use page_open on pages you want to protect. > > > >The session would only be created first time someone hit one of these pages and > >auth timeouts could occur more often but it could work depending on your > >application. > > And if a non-cookie user leaves the protected part of the site (e.g. > they click on the Home button) they will lose their session. That > would be a disaster in a shopping cart environment, but may not > matter in other instances. > > ...R. > > > ------------------------------------------------------- > This SF.net email is sponsored by: Microsoft Visual Studio.NET > comprehensive development tool, built to increase your > productivity. Try a free online hosted session at: > http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > |
|
From: Richard A. <rh...@ju...> - 2002-12-04 00:45:42
|
At 16:11 -0800 3/12/02, Aric Caley wrote: >So I'd have to also check if the >user already has a session and call page_open() if so. Yup. That would do the job nicely :) ...R. |
|
From: Aric C. <gre...@pe...> - 2002-12-04 02:47:24
|
And to do that, I'd have to check the URL for a session_id (should be the name of the class, right?) and check for the cookie. also, I guess everywhere that I am using $sess->url() and $perm->have_perm() I have to check if those objects exist? Or maybe I make some "dummy objects" that look like the real ones but dont do anything? ----- Original Message ----- From: "Richard Archer" <rh...@ju...> To: <php...@li...> Sent: Tuesday, December 03, 2002 4:39 PM Subject: Re: [Phplib-users] No session_id or cookie if not authenticated.. how? > At 16:11 -0800 3/12/02, Aric Caley wrote: > > >So I'd have to also check if the > >user already has a session and call page_open() if so. > > Yup. That would do the job nicely :) > > ...R. > > > ------------------------------------------------------- > This SF.net email is sponsored by: Microsoft Visual Studio.NET > comprehensive development tool, built to increase your > productivity. Try a free online hosted session at: > http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > |
|
From: Aric C. <gre...@pe...> - 2002-12-04 23:12:30
|
Well at the moment, we have it set to not fall back to get mode. So, you either accept the cookie or you can't use the shopping cart (or login or do anything other than look at products). We figure there aren't going to be many people turning off cookies, and those who do it are knowlegeable enough to understand why we're using cookies. The problem (if it is really a problem, which I am not entirely sure of, but my boss is concerned about) is with search engines. Since they don't accept cookies, they would get session id's everywhere. Now I can't seem to find a definitive answer here, but some (all?) search engines supposely will ignore any page that has session id's (specificaly, any url with a '?' in it). Now, I have my site working without the '?' and '&', using '/' everywhere instead. My boss thinks (I disagree) that the search engines will still barf on our urls because they will see the big long random looking session id and even though it looks like a directory will still ignore our pages. Another possible concern is that phplib redirects when you login. I noticed that when trying to use the validator.w3.org service it doesn't work because of the redirection, it works if I point it at a url that includes a session id in it. I dont know if that means a search engine might also refuse to index the site. Also if the search engine did work, the indexed urls would have session_ids and anybody that went through that search engine to get to us would have the same id... I dont know if that's a problem or not? Perhaps there really isnt anything to worry about... :) ----- Original Message ----- From: "Matt Williams" <li...@ye...> To: "Aric Caley" <gre...@pe...> Sent: Tuesday, December 03, 2002 1:28 AM Subject: Re: [Phplib-users] No session_id or cookie if not authenticated.. how? On Wednesday 04 December 2002 00:11, Aric Caley wrote: > I guess what I have to do is check my parameters first and then call > page_open() only when needed, but then like you say the session gets lost > when a user goes to an unprotected area. So I'd have to also check if the > user already has a session and call page_open() if so That's true but only if the user is using a non cookie session. IMHO I don't see what the big issue is with accepting cookies. Yes fair enough in some instances like ad sites and the like, but if I'm on a site where I know there is a members area or I'm gonna buy something, I expect to have a cookie or two dropped on my machine. And if they wanna track my progress around their site fair enough maybe they'll offer me a deal on something I do want but never thought they had.. Why is it a problem to start the session when the user first visits? matt |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X