Webspeed shared/session variables

Posted by Admin on 08-Dec-2006 08:27

Hello,

I'd like to know how it is possible to create session variables.

now we put everything in a session-table. so we create a table in a database and in there we create a record with numerous field for everything we would like to keep during the session time. (session time = time that the user check's our site).

but this has difficulties, we have a kind of login when a person1 want's to respond on something. we hold his login in that session table and we hold it on on the URL like:

?sessionid=4526823

for example.

the problem is that google find's a page of us with "sessionid=4526823". so when person2 wil click on this link he will have the "user-settings" from person1.

--> not good.

we could fix this when we say "if startdate < (today -1) then redirect firstpage.html"

but, that is something we wouldn't like to do. if we had session variables it would be easier.

you know what i mean?

how can i solve this?

thanx in advance

Thomas

All Replies

Posted by Admin on 09-Dec-2006 04:20

Store the session id in a cookie. This way your URL won't show the "sessionid=4526823" anymore and you can check the request's cookie to see if it contains a session id.

Posted by Mike Ormerod on 11-Dec-2006 05:39

or to avoid cookies, store it as a hidden field on the page.

Posted by Admin on 11-Dec-2006 10:35

thanks, both good answers,

BUT,

with a cookie you can have this problem.

person A:

cookie is storing id 123

5 seconds later person B shoots person A away and opens a new browser, also to the site.

cookie holding id 123 is for person A

cookie wil now be holding id 456

5 seconds later person A takes place again and continue's his webstuf on HIS browse. problem cookie still holding id 456, wil create new one?

--> so not so good.

problem with in a hidden field:

you can give a hidden field at every page that value, yes. good thinking but, a hidden field value can only be given away to an other page when you do a post of the page. but some pages doesn't give a post, and believe me you don't want to make for every link a post. it's possible but rather no thanks.

other possibilities?

greets Thomas

Posted by Admin on 11-Dec-2006 11:46

thanks, both good answers,

BUT,

with a cookie you can have this problem.

person A:

cookie is storing id 123

5 seconds later person B shoots person A away and

opens a new browser, also to the site.

cookie holding id 123 is for person A

cookie wil now be holding id 456

5 seconds later person A takes place again and

continue's his webstuf on HIS browse. problem cookie

still holding id 456, wil create new one?

--> so not so good.

A session cookie will be destroyed when you close your browser. When you leave your computer unattended, people can do anything under your name, right?

Posted by Admin on 11-Dec-2006 18:54

Just a couple of quick comments to any readers since this really relates to web application security. You could also use web server authentication. The user name field is available as a CGI variable from within webspeed. The drawback to this approach is that two users (or the same user in two different instances) could login under the same id which could confuse your application if you're doing login specific context.

Passing a hidden field in each form is typically best instead of storing it as a cookie anyone can turn off browser cookies and some proxies filter them. If you're in a position to dictate to your users if cookies are required, then using cookies is fine and make the application context design much simpler.. Just make sure whatever id scheme you choose is randomly generated or someone could look at their id, and then just increment/decrement the number and magically become someone else.

Webspeed has some built in session handling that can be used for simple stuff. It is not enabled by default. Although a simple id/name/value session table is a lot more robust; look at session.p in the webspeed src/web/ directories (I don't remember exactly which one) for one implementation.

Posted by Admin on 12-Dec-2006 02:45

Thanks for the answers,

I quote: "When you leave your computer unattended, people can do anything under your name, right?"

That is correct, BUT, my website its purpose is to help people from all ages. so that could count, mam, dad, brother, sister, grandma, who all lives at the same house and works with the same computer.

--> so for those cases we need to have a system that grandma wil not place orders in the name of the brother.

--> logical no?

And for the other reply, thanks i'll check on that session.p;

although it would be easy if there was any documentation to find.

Thanks for your replies, and if there are other suggestions, please post them.

Posted by Admin on 12-Dec-2006 03:17

Hello,

I've tried with that session program. but that is not that great.

i opened a browse and i put the value "thomas" of a text-field in a session called "name".

then it goes to a second page and there is the value of the session "name" placed on the screen.

this works.

BUT

i open a second browse and i put in the first textfield a different value like "test" in and i go to the next page and there it is, "test" on the screen.

--> now the good part,

i go back to my first browse, do a refresh (F5) and what do i see, not "thomas" but "test".

somehow that session-value comes in the cache.

this system is not waterproof.

still thanks

Posted by Admin on 12-Dec-2006 04:59

I quote: "When you leave your computer unattended,

people can do anything under your name, right?"

That is correct, BUT, my website its purpose is to

help people from all ages. so that could count, mam,

dad, brother, sister, grandma, who all lives at the

same house and works with the same computer.

I can understand that. But what I don't understand is your following concern:

- grandma opens the browser

- she logs in and puts a pair of glasses in here shopping basket

- she wanders off and takes her medicin

- the baby comes along and orders some dipers

- grandma returns and commits the transaction

Now you find it strange that grandma has ordered some dipers and glasses?

A session cookie will disappear as soon as you close the browser. I think it will be hard to get rid of the session id as long as the browser won't be closed. You could add some JavaScript + a timer to remove the session or provide a logout button, but that requires a user interaction.... Isn't that sufficient?

Posted by Admin on 12-Dec-2006 09:00

true,

but, we have a website with a lot of job-offers. people can respond to joboffers when they filled in their social security number. (social security number is a variable we keep in a database, with the session-id we can get his social security number from the database)

it is true that when you close your browser the session gets killed, but. ALL browsers must be closed.

so for example in a public library, person A comes at our website and responds to a joboffer.

he leaves the site and go's to the startpage of the library, for example google.

person A leaves the pc.

person B comes at the pc and see's there is a webbrowser still open and takes that one, he goes to our website and responds to a joboffer. he doesn't find it strange that he doesn't have to give his social security number because he never went to this site before. (so he just doesn't know).

--> problem: person B has responded in the name of person A.

Posted by Admin on 12-Dec-2006 14:49

it is true that when you close your browser the

session gets killed, but. ALL browsers must be

closed.

A cookie can also expire and can be bound to a domain. I most cases people authenticate on a secured connection (HTTPS). In that scenario you open a new browser window (or tab-page nowadays). Here you add a JavaScript close trigger, that deletes the cookie. I think you're very naive when you login somewhere and leave the browser window opened.

When I do some electronic banking, I get a new window and the entire toolbar is hidden. The only option I have is to close the window. Not so user friendly, but it makes you close your session

Perhaps your website design should not allow a session at all, since you will always have this dilemma:

- you want a very intuitive interface

- someone logs in

- browses around

- goes away

- someone else borrows the session

I can't see how you can protect that.....

Posted by Admin on 12-Dec-2006 19:45

The problem with opening a new browser window is that even if you click on the desktop icon again you don't get a new instance of the web browser. The browser just opens a new window and you're running in the same process. Unless you completely close your web browser then all cookies, history, and other state information is persisted across all browser windows. You either need to shutdown the browser or perform some sort of log out to clear out any active cookies.

The only way around this is for each and every get and post of every page that needs session information to pass the session id. If just one link breaks the chain the user gets a new session.

The session.p that comes with webspeed is a very simple way to handle this. It maintains a persistent procedure that uses cookies to maintain session information, hence the reason you're seeing cached information between browsers. I'm not actually suggesting you use it, but learn from what it does.

The things it does though are necessary for any session maintenance. Load session data based on a session id, and persistent it to disk while making the API to fetch the session values simple. The actual implementation is based on your needs.

Posted by Admin on 21-Dec-2006 09:25

hello,

wel with session.p it is very handy.

but we want a little bit more...

is it possible to make a auto-delete? that we give a timestamp with it to tell how long it lives.

Thanks for all this help!

Thomas

Posted by runningtom8@gmail.com on 28-Aug-2014 11:00

Thomas,

I am doing research on the similar web session, security and management.  What is your final solution?

Have you able to come up with a solution or work around for your problem?  Can you share.

Is there a best practice on Webspeed session security, management and handle?

Thank you.

Tom

This thread is closed