Menu
▾
▴
[Tclhttpd-users] Re: TclHttpd-users digest, Vol 1 #586 - 1 msg
|
From: Sean W. <yo...@et...> - 2006-04-02 06:40:37
|
I've written many websites that use sessions. The best arrangements only store a session ID in a cookie. The rest of the user's state should be pulled from a database in the server. There are several reasons. The first is: having one cookie is being a good citizen to the net. Filling a browser with cookies is bad form Second: There are some limitations to the size of cookies, and how long browsers will hold onto them, etc. If you trust browsers to keep track of that for you, you are on a short road to insanity Third is extra traffic and extra logging. All of the cookies you send have to be re-sent with every page view. They are also dutifully recorded in the webserver logs. Finally: security. About the only thing I trust a browser with is essentially a "ticket number" that I can verify to be legit. If you trust a browser with logon names or other access credentials, there are many many many ways to exploit such a system. In short: issue a "ticket number". Use that ticket number that is passed in with every page view to load data from a table. (On my systems I populate an array called ::session) cookie -> verify cookie good -> load "session" for said cookie into ::session -> (Yadda Yadda) -> save changes to ::session -> return/destroy ticket cookie On Apr 1, 2006, at 11:28 PM, tclhttpd-users- re...@li... wrote: > Send TclHttpd-users mailing list submissions to > tcl...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/tclhttpd-users > or, via email, send a message with subject or body 'help' to > tcl...@li... > > You can reach the person managing the list at > tcl...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of TclHttpd-users digest..." > > > Today's Topics: > > 1. Re: sessions (salah jubeh) > > --__--__-- > > Message: 1 > Date: Fri, 31 Mar 2006 22:55:56 -0800 (PST) > From: salah jubeh <s_...@ya...> > Subject: Re: [Tclhttpd-users] sessions > To: Jeff Smith <hea...@ya...>, tclhttpd- > us...@li... > > --0-1619083573-1143874556=:57684 > Content-Type: text/plain; charset=iso-8859-1 > Content-Transfer-Encoding: 8bit > > Hi Jeff, > > The problem with session package, i think it is not complete, > after creating a session, the user suppose to have his own state > i.e variables, it is not just only tracking the user "how is the > user" because this can be done by hidden fields, after creating > session still all the forms variable are in the global scope > that's mean that if two users are inserting records at the same > time, the records will mix up > > Jeff Smith <hea...@ya...> wrote: > Hi Salah, > >> second in the session library how it is work to >> maintain variable states and can you give me >> example. >> > > There are a few examples of using TclHttpd's session > module on the wiki > > http://wiki.tcl.tk/2927 > > Kind Regards > > Jeff Smith > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > > --------------------------------- > Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. > Great rates starting at 1¢/min. > --0-1619083573-1143874556=:57684 > Content-Type: text/html; charset=iso-8859-1 > Content-Transfer-Encoding: 8bit > > <DIV>Hi Jeff,</DIV> <DIV> </DIV> <DIV>The problem with > session package, i think it is not complete, after creating a > session, the user suppose to have his own > state i.e variables, it is not just only tracking the > user "how is the user" because this can be done by hidden > fields, after creating session still all the forms > variable are in the global scope that's mean that if two users are > inserting records at the same time, the records will mix > up<BR><BR><B><I>Jeff Smith <hea...@ya...></I></B> > wrote:</DIV> <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; > MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">Hi > Salah,<BR><BR>> second in the session library how it is work > to<BR>> maintain variable states and can you give me<BR>> > example.<BR>> <BR><BR>There are a few examples of using > TclHttpd's session<BR>module on the wiki<BR><BR>http://wiki.tcl.tk/ > 2927<BR><BR>Kind Regards<BR><BR>Jeff > > Smith<BR><BR>__________________________________________________<BR>Do > You Yahoo!?<BR>Tired of spam? Yahoo! Mail has the best spam > protection around <BR>http://mail.yahoo.com <BR></BLOCKQUOTE><BR><p> > <hr size=1>Talk is cheap. Use Yahoo! Messenger to make PC-to- > Phone calls. <a href="http://us.rd.yahoo.com/mail_us/taglines/ > postman7/*http://us.rd.yahoo.com/evt=39666/*http:// > beta.messenger.yahoo.com"> Great rates starting at 1¢/min. > --0-1619083573-1143874556=:57684-- > > > > --__--__-- > > _______________________________________________ > TclHttpd-users mailing list > Tcl...@li... > https://lists.sourceforge.net/lists/listinfo/tclhttpd-users > > > End of TclHttpd-users Digest |
