Forum OpenACS Development: Response to Login/Security tokens without cookies

Collapse
Posted by Tom Jackson on

Putting session ids in the url is a great way to make your site difficult to bookmark, email to friends and to index with a search engine. At least that is what I thought until I read Jerry's post.

He is right that I use the url to encode variables. The main reason I do that is because I want AltaVista to index the site.

I have done this encoding several different ways so I can tell you that there is one good way that would allow you to encode the session_id without messing up any of the above three important features of static urls.

I wrote a simple little adp tag, I like it so much that I even use it on tcl pages. Here is the code:

proc set_url_vars_adptag {tagset} {
    set size [ns_set size $tagset]
    set urlv [ns_conn urlv]
    set urlc [ns_conn urlc]
    for {set i 0} {$i < $size } {incr i} {
	set key   [ns_set key $tagset $i]
	set value [ns_set value $tagset $i]
	upvar $key $key
	set $key [lindex $urlv [expr $urlc - $value - 1]]
	
    }
    return ""
}
ns_register_adptag urlvars  set_url_vars_adptag

Then you can put this adp tag on your page and set variables from the url:
<urlvars letter="2" mfg_id="1">
or use code like this on your tcl page to get the same effect:
set tagset [ns_set create]
ns_set put $tagset letter 2
ns_set put $tagset mfg_id 1
set_url_vars_adptag $tagset

The key to this is that you count from the tail end of the url back toward the http part. This is much more desireable than hard coded positions, which is really the same as counting from the left.

Using my VAT module which is available at http://zmbh.com/discussion/vat/ you could include a session id in the url. Imagine that I wanted to do this. Go to this url: http://dev.saleonall.com/cat/accessories/cables/onesub.html. Now insert some random letters between the first directory 'cat' and the second 'accessories'. Try for instance: http://dev.saleonall.com/cat/1234/accessories/cables/onesub.html.

You still need to worry about identifying users. Basic authentication is you only other option. Usually this requires sending a base 64 encoded clear text string of the user name and password. It isn't less secure than using a cookie, but with session tokens, there is less opportunity to steal a password. It isn't likly to happen, but just good to remember that it can.