Re: mod_perl authorization and time-outs ... without cookies?

Or should I just give in and use cookies, and/or skip using basic Auth?

Yes, you should. Certainly there are ways to work around not using cookies, but why bother? This is one wheel that's not worth reinventing.

-sam

Comment on Re: mod_perl authorization and time-outs ... without cookies?

Replies are listed 'Best First'.
Re: Re: mod_perl authorization and time-outs ... without cookies? by Ryszard (Priest) on Apr 20, 2002 at 06:31 UTC
but why bother? This is one wheel that's not worth reinventing WAP devices such as phones/pdas that cannot take cookies People who want to turn cookies off to avoid being tracked IMO If I were to build a session management module that didnt use cookies, I would be putting the session id as a parameter, and rotating the sess_id each page view (to avoid replay). This is a nice easy and relatively secure method that will slot in easily with CGI.pm and anything you may have written already, all you have to do is substitute the cookie value for the param value!	[reply]

Replies are listed 'Best First'.

Re: Re: mod_perl authorization and time-outs ... without cookies?
by Ryszard (Priest) on Apr 20, 2002 at 06:31 UTC

but why bother? This is one wheel that's not worth reinventing

WAP devices such as phones/pdas that cannot take cookies
People who want to turn cookies off to avoid being tracked

IMO If I were to build a session management module that didnt use cookies, I would be putting the session id as a parameter, and rotating the sess_id each page view (to avoid replay).

This is a nice easy and relatively secure method that will slot in easily with CGI.pm and anything you may have written already, all you have to do is substitute the cookie value for the param value!

[reply]