Tired of session/cookie problem

Notification:

I have already read most (if not all) threads about sessions, including most of external links, so please do not reply with links to old threads.
I have already done many web sites with different types of solutions for persistent session, and this post is not a question "how to do" (and this is why I post it in Meditations and not in SoPW).
All text below IMPLY work with only one unique and safe session ID calculated with MD5, with session timeouts in server side and so on... The only question is: which way session id will be sent to user.

The object of my meditation: to find most flexible, protected and simple in use solution and forget about this suxx forever. Insignificant admissible limitations for this solution are: non portable (only Unix), non secure against packet sniffering (this is a task for SSL). This solution must not depend on mod_perl and mod_rewrite (these modules not enabled on many web hostings) but work well with these modules.

Ideal solution must work automagically and not depend on used template system. Example of interface to such solution:

use POWER::Session;
%userdata = load_session();
...
if ($need_to_store_something) {
    $userdata{something} = $somevalue;
    save_session(%userdata);
}
[download]

The winning solution at this time use mangled URLs and symlinks. I'm never see before solutions with symlinks, so please meditate to find weakness which I don't see right now and find solutions for already known weakness.

Update:Now with readmore tag, thanx to pdcawley :)

In this table shown which features required for ideal solution. Legend:

Param mean using <INPUT TYPE=HIDDEN NAME=id_sess VALUE="1234567890"> in forms and /path/script.cgi?id_sess=1234567890 in URLs.
URL (after path) mean using /path/script.cgi/1234567890
URL (at root) mean using /1234567890/path/script.cgi

Feature/Method BasicAuth Cookie Param URL (after path) URL (at root)
Sessions for anonymous (not logged in) users N Y Y Y Y
Protect against malicious user enter into someone else's active session see below
Possibility to have many simultaneous logins for the same user from different browsers/hosts Y Y Y Y Y
Possibility to have different sessions in different browser windows (to allow many simultaneous logins, for ex. as ADMIN and as USER) N N Y Y Y
"Open in New Window" work without problems Y Y see below
"Back" button work without problems Y Y Y Y Y
Custom login form (only password, or id+email, or ...) N Y Y Y Y
Work with disabled cookies in browser Y N Y Y Y
Work with disabled JavaScript in browser Y Y Y Y Y
Do not affect search engines spiders Y Y Y see below
Do not affect page relevance on search engines Y Y Y Y see below
Session work automagically, i.e. no necessity to programmer/designer keep in mind sessions and do something dull like adding session id to all forms and links Y Y N N Y
Relative links in HTML (<A HREF="../index.html">) don't affect session Y Y N N Y
I'm sure I forgot some of features, but I hope my idea is clear.

Feature/Method	BasicAuth	Cookie	Param	URL (after path)	URL (at root)
Sessions for anonymous (not logged in) users	N	Y	Y	Y	Y
Protect against malicious user enter into someone else's active session	see below
Possibility to have many simultaneous logins for the same user from different browsers/hosts	Y	Y	Y	Y	Y
Possibility to have different sessions in different browser windows (to allow many simultaneous logins, for ex. as ADMIN and as USER)	N	N	Y	Y	Y
"Open in New Window" work without problems	Y	Y	see below
"Back" button work without problems	Y	Y	Y	Y	Y
Custom login form (only password, or id+email, or ...)	N	Y	Y	Y	Y
Work with disabled cookies in browser	Y	N	Y	Y	Y
Work with disabled JavaScript in browser	Y	Y	Y	Y	Y
Do not affect search engines spiders	Y	Y	Y	see below
Do not affect page relevance on search engines	Y	Y	Y	Y	see below
Session work automagically, i.e. no necessity to programmer/designer keep in mind sessions and do something dull like adding session id to all forms and links	Y	Y	N	N	Y
Relative links in HTML (<A HREF="../index.html">) don't affect session	Y	Y	N	N	Y
I'm sure I forgot some of features, but I hope my idea is clear.

About some of these features:

Protect against malicious user enter into someone else's active session
This is a very complicated task and this task realization depend on method used to send session id to user. I will explain how to solve this task only with my method (URL (at root)).
The only solution I see now, is using cookies in addition to url mangling. If user browser is "cookie enabled" this fact will be marked in session database for current session, and any request with this session id but without correct cookie will run info redirect to new session and relogin. So user can even send current url to friend by email.
"Open in New Window" work without problems
Becouse these three methods support different sessions in different browser windows "Open in New Window" run into duplicate one session in two windows and this may produce unpredictable results. The only way I have found to solve this - use JavaScript and any non-empty value for window.name. Then JavaScript can test window.name, and if it empty (in "New Window" window.name of course empty) delete session id from url. But this solution is not simple and require JavaScript.
Do not affect search engines spiders
These two methods require redirect to setup session id in path. I'm not sure about this, but some webmasters inform me about some search engine spiders which don't follow redirects on added pages.
Do not affect page relevance on search engines
As far as I know, URL like this one: http://host.com/12/34/56/78/index.html will be indexed by search engines with less relevance points than this one http://host.com/index.html. Only known solution for now is checkup $ENV{HTTP_USER_AGENT} and do not use sessions for non-browsers at all. Ugly.

Some details:at this time my sessions work this way:

In the $ENV{DOCUMENT_ROOT} dir I create directory named "-". In this directory I create 257 symlinks:
"-" points to "../"
"00" points to "./"
"01" points to "./"
...................
"ff" points to "./"
When NEW user request something like /path/info.html my cgi return to this user redirect to /-/01/e4/33/97/-/path/info.html.
This way (with symlinks) it will work without mod_rewrite.
This way still work all relative links inside info.html.
And session is persist until user click on non-relative link.

Comment on Tired of session/cookie problem Download Code

Replies are listed 'Best First'.
Re: Tired of session/cookie problem by ejf (Hermit) on Apr 25, 2002 at 13:54 UTC
A nice table you have there :) It is worth noting, however, that your solution to "Protect against malicious user enter into someone else's active session" is spotty. Yes, you can mark in a database whether or not a browser supports cookies (or has them disabled or whatever), but if it HAS them disabled and the person using it is sending the URL to a friend, the session is now for two people. Basically, to work right in every instance, this system /needs/ cookies, and is therefore subject to the constraints for the cookie-based approach. It is also difficult to "just remember" an URL in this case; It is certainly easier to remember http://my.example.tld/credits.html than http://my.example.tld/th/is/is/a1/28/bi/tl/on/gn/um/be/r/credits.html ... Also, bookmarks made in different sessions now have completely different URLs, therefore the browser detection of duplicate bookmarks is useless. Maybe a system where cookie-based session-management is the standard and your system is optionally avaiable (in case cookies are disabled) would be good; This does not solve your problem with multiple sessions in multiple windows. One way this could be achieved is to let the user decide at the login screen whether or not an additional session should be created; it really is not all that common that one single user will want to work on two accounts in the same browser; as your example points out, this functionality is most suited for the administrator. He could also just open another browser and be done with it. Ultimately, it all depends on the application you need this session management for. For most things, cookie-based authentication is sufficient (after all, many browsers now let the user decide which cookies to accept and which to drop), and for where it isn't, you can transparently exchange it with your scheme or even use a combination of both. Finally, I personally much prefer static-looking URLs (for remembering) and short paths (so that the whole url fits into the address-bar). But that's just me ;)	[reply]
•Re: Tired of session/cookie problem by merlyn (Sage) on Apr 25, 2002 at 16:15 UTC
`mod_rewrite` can do that same trick without the symlink hack and multiple levels. In fact, under Set Environment Variables According To URL Parts at the mod_rewrite guide, you'll see an example of how to extract a portion of the URL and insert it into a known ENV variable. -- Randal L. Schwartz, Perl hacker	[reply]
Re: •Re: Tired of session/cookie problem by Fletch (Bishop) on Apr 25, 2002 at 17:07 UTC
Something similar can be done with mod_perl and a PerlTransHandler. mod_perl Developer's Cookbook (ISBN 0672322404; almost got that memorized :), recipie 12.3.	[reply]
Re: Tired of session/cookie problem by drewbie (Chaplain) on Apr 25, 2002 at 13:58 UTC
FYI, it is possible to use cookies w/ multiple, simultaneous sessions. It just has to be planned for. I implemented it at a previous job to prevent link sharing by just naming the cookie the session ID (which was <15 chars). Then the application checked the cookie(s) sent with the session ID in the URL, which was always present. So if sharing was disallowed and no/invalid cookie was present, the request was denied.	[reply]
Re: Tired of session/cookie problem by asdfgroup (Beadle) on Apr 25, 2002 at 13:53 UTC
Powerman's post is very big and maybe a little unlear. So I try to formulate why we begin to use this sessions and advantages of it (and a bit about realization): Several start points : 1) Session should work lazy way. Is it possible - magically both for programmer and designer. 2) Should allow work to an user in several windows with different session id (e.g. Admin open several wraped Member's control centers). Why not to use cookie ? Main reason - many users disabled in IE cookie. Even session ones And several minor reasons - for example, this will be impossible (ok. possible, but VERY UGLY and difficult) open several different sessions in one browser simul. So we choose to store session in PATH. in form like www.host.com/session_id/some_path/my.cgi This allow to save session_id between user requests in user URL and allow to magically save session_id in relative hyperlinks. (e.g. link like href="../other_path/own.cgi") Ok. Next question - how to deal with this at Apache side ? Straitforward solutuion - use mod_rewrite. Unfortunately soem web hostings don't allow to use mod_rewrite. Next solution looks like very elegant. And we don't meet it before. I mean use symlinks as it describe Powerman. (for example our directory is /www/somehost.com/htdocs/. so /www.somehost.com/htdocs/-/12/34/56/78/90/-/ will lead to /www/somehost.com/htdocs/ again.) Thats all about the idea. Now several words about realization : We store users data in Session table (MySQL). in .cgi %S = load_session(); calls made. This call 1) read session info from $ENV{REQUEST_URI} 2) execute new_session() if needed 3) return Session data as hash.	[reply]
Re: Tired of session/cookie problem by perrin (Chancellor) on Apr 25, 2002 at 18:19 UTC
Dude, just use the damn cookie. I know it's not perfect, but life's too short.	[reply]
Filling my window... by pdcawley (Hermit) on Apr 25, 2002 at 13:38 UTC
Um... next time you do this, could you think about using the <readmore> tag? Please?	[reply]
Re: Tired of session/cookie problem by BUU (Prior) on Apr 25, 2002 at 12:52 UTC
Im slightly confused as to exactly how you get your idea to work automagicly. Do you have like 255 folders between your document_root and the content? would you mind explaining more please.	[reply]
Re: Tired of session/cookie problem by BUU (Prior) on Apr 25, 2002 at 14:05 UTC
Just a thought, what about apache::session ( i think thats what its called)	[reply]

Param	mean using *<INPUT TYPE=HIDDEN NAME=id_sess VALUE="1234567890">* in forms and */path/script.cgi?id_sess=1234567890* in URLs.
URL (after path)	mean using */path/script.cgi/1234567890*
URL (at root)	mean using */1234567890/path/script.cgi*