Re: Re: Re: Re: Re: Session identification (was: Game).

and if they go back 3 pages and do somethign different so that they are using the session ID from 3 requests ago, are they just out of luck?

or, to be a little more explicit,

action sends session_ID
user comes to site n/a
server serves main page n/a
user logs in n/a
server shows logged-in page 123
user requests page 52 123
server gives page 52 456
user requests page 52-c 456
server gives page 52-c 135
user requests page 52-f 135
server gives page 52-f 237
user hits "back" to go
back to login screen
and requests page 38 123
server was expecting 237 ... what does it do? ?

this case, and others like it, make me think this method is unworkable. but maybe you see it differently; maybe i'm overlooking something, or maybe you just are willing to do more work than i am. but if it will continue to accept old session_ID's, then why bother changing them? and if it won't, i think a lot of people are going to be upset at the inability to "back".

Comment on Re: Re: Re: Re: Re: Session identification (was: Game).

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Re: Session identification (was: Game). by jepri (Parson) on Jun 06, 2001 at 13:21 UTC
Yes, that's why it's annoying. Well spotted. Use SSL instead. This system was common at one point in time - it's not so bad, you just have to use the navigation buttons the site provides. ____________________ Jeremy I didn't believe in evil until I dated it.	[reply]

action	sends session_ID
user comes to site	n/a
server serves main page	n/a
user logs in	n/a
server shows logged-in page	123
user requests page 52	123
server gives page 52	456
user requests page 52-c	456
server gives page 52-c	135
user requests page 52-f	135
server gives page 52-f	237
user hits "back" to go back to login screen and requests page 38	123
server was expecting 237 ... what does it do?	?