Forum OpenACS Development: Response to Login/Security tokens without cookies

Posted by David Eison on
Patrick McNeill did this sort of modification to ACS for Voxtime (apparently some phone stuff doesn't do cookies right so they needed things to work without cookies).  Basically one session-id-getting procedure was modified to check the first "directory" in the URL for the session ID if no session ID was found, and all URLs were modified to include the session ID.  The hard part is the "all URLs were modified" part, simply because there are a lot of hard-coded links.  I'm sure he could provide more details if you need them.

This would probably be easier on ACS-Java because I did a modification to support different mount points; required replacing all hard-coded links and using a "get context path" method to get the context path.  So you're down to just the include-session-id-in-get-context-path-method and check-context-path-for-session-id steps.  The standard Java session handling won't work for ACS-Java because
a) It isn't database backed,
b) it requires you to call a method around every URL, and the system wasn't written that way,
c) it uses a URL variable rather than a directory, so it doesn't work "for free" on relative links (see b)

Finally, you'd want to make sure the session ID encodes & checks at least part of the IP, and probably have faster timeouts than normal, so that people don't accidentally e-mail their login to their friend.

It's an easy enough change that I think it should really be done, it's a nice feature and can reduce frustration/customer support "your site is broken" requests.