[Lispweb] session tracking: url rewriting vs cookies
marc.battyani at fractalconcept.com
Tue Jun 26 10:55:25 CDT 2001
Matt Curtin writes:
> I'd prefer to see a cookie-based mechanism for session management.
> URLs are essentially public knowledge, thanks to their appearance in
> various types of log files, headers that can leak to third parties
> (e.g., HTTP referrers, which were mandatory until HTTP 1.1 and are
> still treated that way in many cases), etc.
The URI encoded sessions have a timeout so if somebody uses an old URI (form
a log or a search engine), the session will be discarded. The HTTP referrer
is a pb though, if there are links going outside.
I will add the SSL session ID to the mod_lisp variables sent to Lisp to
enable secure session management if needed.
> Cookies are a Good Thing for the purpose of managing session state.
> carefully, but using them as they were intended is perfectly sensible.
Sure. The long time persistence of cookies can be useful. But I still prefer
URI encoding for short term session tracking.
>  Well, to the degree that a Good Thing is possible atop the
> bizarre stateless beast known as HTTP.
Yes a simple state management protocol would have been very useful.
More information about the lispweb