Re: Implementing Cookies

Given, whenever I do session handling, users have an account with the service - but;
I will take their service username and combine it with a random string (Normally the MD5 of my /etc/passwd, just as a little joke), from that I produce another MD5 checksum and store it in the cookie like so:
filmo:3d42e7ab7cd3f127cda36ed2512eb4c6

The MD5 checksum allows me to verify (in a relatively secure manner) that the username stored in the cookie is the one I assigned to that cookie in the first place.
I keep track of "users browsing" by keeping a DB table with a username and datestamp, and each time they hit any of the CGIs (the sites I deal with are generally entirely generated from perl CGIs anyway), I update the datestamp, thus keeping track of who's on and who's not. I run a cronjob every half-hour to remove idlers.

Someone has already mentioned that IPs aren't a particularly affective way of tracking user sessions. I would agree with this, multiple cache proxies are often implemented at large ISPs, and this will make your IP address often times rather redundant.

JP,
-- Alexander Widdlemouse undid his bellybutton and his bum dropped off --

Comment on Re: Implementing Cookies

Replies are listed 'Best First'.
Re: Re: Implementing Cookies by filmo (Scribe) on Nov 20, 2001 at 23:50 UTC
Good idea with the MD5 checksum. Although the IP address can shift intra-session at the large ISPs, I was thinking that I could use cookies and IPs to track static pages as well. Thus for example, if someone comes to the main page, a cookie is set and the IP address and cookie are stored in a DB table. When the user jumps to another page, if the IP changes (ala AOL), the cookie remains the same and that IP is also recorded along with the cookie. Thus. I could write a log analysising program that would let me track how long a user spent on a particular page as well as the path they took since I would now have a way to link users across IPs. Obviously, it wouldn't work perfectly for all entries in the log, but probably well enough. Additionally, if the user is registered to a cookie and IP and then views a static .html page, I could still capture that path and time spent before moving off to the next request. This must be similar to how those large web analysising companies are able to aggregate data about how much time is spent on a particular page and the pathes that users took. -- Filmo the Klown	[reply]

Replies are listed 'Best First'.

Re: Re: Implementing Cookies
by filmo (Scribe) on Nov 20, 2001 at 23:50 UTC

Although the IP address can shift intra-session at the large ISPs, I was thinking that I could use cookies and IPs to track static pages as well.

Thus for example, if someone comes to the main page, a cookie is set and the IP address and cookie are stored in a DB table. When the user jumps to another page, if the IP changes (ala AOL), the cookie remains the same and that IP is also recorded along with the cookie. Thus. I could write a log analysising program that would let me track how long a user spent on a particular page as well as the path they took since I would now have a way to link users across IPs.

Obviously, it wouldn't work perfectly for all entries in the log, but probably well enough. Additionally, if the user is registered to a cookie and IP and then views a static .html page, I could still capture that path and time spent before moving off to the next request.

This must be similar to how those large web analysising companies are able to aggregate data about how much time is spent on a particular page and the pathes that users took.
--
Filmo the Klown

[reply]