comment on

Notification:

I have already read most (if not all) threads about sessions, including most of external links, so please do not reply with links to old threads.
I have already done many web sites with different types of solutions for persistent session, and this post is not a question "how to do" (and this is why I post it in Meditations and not in SoPW).
All text below IMPLY work with only one unique and safe session ID calculated with MD5, with session timeouts in server side and so on... The only question is: which way session id will be sent to user.

The object of my meditation: to find most flexible, protected and simple in use solution and forget about this suxx forever. Insignificant admissible limitations for this solution are: non portable (only Unix), non secure against packet sniffering (this is a task for SSL). This solution must not depend on mod_perl and mod_rewrite (these modules not enabled on many web hostings) but work well with these modules.

Ideal solution must work automagically and not depend on used template system. Example of interface to such solution:

use POWER::Session;
%userdata = load_session();
...
if ($need_to_store_something) {
    $userdata{something} = $somevalue;
    save_session(%userdata);
}
[download]

The winning solution at this time use mangled URLs and symlinks. I'm never see before solutions with symlinks, so please meditate to find weakness which I don't see right now and find solutions for already known weakness.

Update:Now with readmore tag, thanx to pdcawley :)

In this table shown which features required for ideal solution. Legend:

Param mean using <INPUT TYPE=HIDDEN NAME=id_sess VALUE="1234567890"> in forms and /path/script.cgi?id_sess=1234567890 in URLs.
URL (after path) mean using /path/script.cgi/1234567890
URL (at root) mean using /1234567890/path/script.cgi

Feature/Method BasicAuth Cookie Param URL (after path) URL (at root)
Sessions for anonymous (not logged in) users N Y Y Y Y
Protect against malicious user enter into someone else's active session see below
Possibility to have many simultaneous logins for the same user from different browsers/hosts Y Y Y Y Y
Possibility to have different sessions in different browser windows (to allow many simultaneous logins, for ex. as ADMIN and as USER) N N Y Y Y
"Open in New Window" work without problems Y Y see below
"Back" button work without problems Y Y Y Y Y
Custom login form (only password, or id+email, or ...) N Y Y Y Y
Work with disabled cookies in browser Y N Y Y Y
Work with disabled JavaScript in browser Y Y Y Y Y
Do not affect search engines spiders Y Y Y see below
Do not affect page relevance on search engines Y Y Y Y see below
Session work automagically, i.e. no necessity to programmer/designer keep in mind sessions and do something dull like adding session id to all forms and links Y Y N N Y
Relative links in HTML (<A HREF="../index.html">) don't affect session Y Y N N Y
I'm sure I forgot some of features, but I hope my idea is clear.

Feature/Method	BasicAuth	Cookie	Param	URL (after path)	URL (at root)
Sessions for anonymous (not logged in) users	N	Y	Y	Y	Y
Protect against malicious user enter into someone else's active session	see below
Possibility to have many simultaneous logins for the same user from different browsers/hosts	Y	Y	Y	Y	Y
Possibility to have different sessions in different browser windows (to allow many simultaneous logins, for ex. as ADMIN and as USER)	N	N	Y	Y	Y
"Open in New Window" work without problems	Y	Y	see below
"Back" button work without problems	Y	Y	Y	Y	Y
Custom login form (only password, or id+email, or ...)	N	Y	Y	Y	Y
Work with disabled cookies in browser	Y	N	Y	Y	Y
Work with disabled JavaScript in browser	Y	Y	Y	Y	Y
Do not affect search engines spiders	Y	Y	Y	see below
Do not affect page relevance on search engines	Y	Y	Y	Y	see below
Session work automagically, i.e. no necessity to programmer/designer keep in mind sessions and do something dull like adding session id to all forms and links	Y	Y	N	N	Y
Relative links in HTML (<A HREF="../index.html">) don't affect session	Y	Y	N	N	Y
I'm sure I forgot some of features, but I hope my idea is clear.

About some of these features:

Protect against malicious user enter into someone else's active session
This is a very complicated task and this task realization depend on method used to send session id to user. I will explain how to solve this task only with my method (URL (at root)).
The only solution I see now, is using cookies in addition to url mangling. If user browser is "cookie enabled" this fact will be marked in session database for current session, and any request with this session id but without correct cookie will run info redirect to new session and relogin. So user can even send current url to friend by email.
"Open in New Window" work without problems
Becouse these three methods support different sessions in different browser windows "Open in New Window" run into duplicate one session in two windows and this may produce unpredictable results. The only way I have found to solve this - use JavaScript and any non-empty value for window.name. Then JavaScript can test window.name, and if it empty (in "New Window" window.name of course empty) delete session id from url. But this solution is not simple and require JavaScript.
Do not affect search engines spiders
These two methods require redirect to setup session id in path. I'm not sure about this, but some webmasters inform me about some search engine spiders which don't follow redirects on added pages.
Do not affect page relevance on search engines
As far as I know, URL like this one: http://host.com/12/34/56/78/index.html will be indexed by search engines with less relevance points than this one http://host.com/index.html. Only known solution for now is checkup $ENV{HTTP_USER_AGENT} and do not use sessions for non-browsers at all. Ugly.

Some details:at this time my sessions work this way:

In the $ENV{DOCUMENT_ROOT} dir I create directory named "-". In this directory I create 257 symlinks:
"-" points to "../"
"00" points to "./"
"01" points to "./"
...................
"ff" points to "./"
When NEW user request something like /path/info.html my cgi return to this user redirect to /-/01/e4/33/97/-/path/info.html.
This way (with symlinks) it will work without mod_rewrite.
This way still work all relative links inside info.html.
And session is persist until user click on non-relative link.

In reply to Tired of session/cookie problem by powerman

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.

Param	mean using *<INPUT TYPE=HIDDEN NAME=id_sess VALUE="1234567890">* in forms and */path/script.cgi?id_sess=1234567890* in URLs.
URL (after path)	mean using */path/script.cgi/1234567890*
URL (at root)	mean using */1234567890/path/script.cgi*