|
Sam Brauer
sam at webslingerZ.com
Tue May 29 09:40:32 EST 2001
On Tue, 29 May 2001, Bo Lorentsen wrote: <snip> > I just need to gain knowledge about some other ways of maintaining session > data, as until now, I thought that a cookie were just a session reference > number of a kind. > > /BL I think the most portable method (a method with the least dependency on any particular webserver or application server) is to maintain the session state in a relational database table and store the table key value in a cookie. When a user first hits your site, check for the cookie. If it exists and matches a record in your table, then treat that record as that user's session data. Otherwise, insert a new record and set a session cookie with the key value of the newly created record. For applications where security is not a major concern, this method should be sufficient. If security is a major concern, you will want to avoid storing the cookie value as plain text and instead encrypt it in some way. Also, you may want to set a short expiration time for the cookie, and perhaps reset it every time you send a response to the user. You might also (again, depending on the type of application) want to provide an explicit logout function that unsets the cookie. You could also have a field in your table that contains a timestamp that gets updated every time a request for that session comes in. Before updating the field, you might compare its current value with the current time. If the difference is greater than some time limit (say 30 minutes), then you could error out and respond to the user that their session has expired. How complicated and secure you want to make it is up to you. Regards, Sam Brauer
|