[Lispweb] session tracking: url rewriting vs cookies

Marc Battyani marc.battyani at fractalconcept.com
Tue Jun 26 10:55:25 CDT 2001


Matt Curtin writes:

> I'd prefer to see a cookie-based mechanism for session management.
> URLs are essentially public knowledge, thanks to their appearance in
> various types of log files, headers that can leak to third parties
> (e.g., HTTP referrers, which were mandatory until HTTP 1.1 and are
> still treated that way in many cases), etc.

The URI encoded sessions have a timeout so if somebody uses an old URI (form
a log or a search engine), the session will be discarded. The HTTP referrer
is a pb though, if there are links going outside.

I will add the SSL session ID to the mod_lisp variables sent to Lisp to
enable secure session management if needed.

> Cookies are a Good Thing[1] for the purpose of managing session state.
> Abuse of cookies is, of course, one reason to consider their use
> carefully, but using them as they were intended is perfectly sensible.

Sure. The long time persistence of cookies can be useful. But I still prefer
URI encoding for short term session tracking.

> Footnotes:
> [1]  Well, to the degree that a Good Thing is possible atop the
>      bizarre stateless beast known as HTTP.

Yes a simple state management protocol would have been very useful.

Marc





More information about the lispweb mailing list