Re: need help with sessions

On St, 2002-11-27 at 14:49, Terry Steichen wrote:

Terry,

> I also patched Enhydra to move the session id from pathinfo to querystring.

FYI, I am just coming back to Enhydra's original encoding the session id
to "URL;jsessionid" since I found out during today's lengthy debugging
session that query string in the ACTION parameter of a <FORM> tag is NOT
sent to the browser! Scary, isn't it? It's true for METHOD="GET" only
but I have a bunch of those used in the app. The ";jsessionid" should be
more proven, hopefully. At least it's passed correctly in the FORM
ACTION.

Is there any known problem with the ";jsessionid" URL encoding?

> You ask how others do it - not sure I can answer because I'm not clear
> exactly what you're trying to do. If a given user opens another browser and
> authenticates as a different user, the fact that the original window now
> reflects that different identity doesn't seem to me to be a problem (since,
> to do this, the user must have access to both credentials to start with).

It is a very serious problem for me. For example, I log the activity of
the user - and suddenly the log contains info about user's activity that
is impossible due to security limits of the particular user. Obviously
it's because he's been logged under a different name but that's why it's
confusing and dangerous. 

I need either to re-generate the cookie when I detect a new user is
logging in (which should be done by calling the deleteSession &
createSession pair - but it's unclear when it's safe to call them) or I
need to build a secondary session management running on top of the
cookie system (which I've been doing for last two days - until I
realized that switching Enhydra to ENCODE_URL=ALWAYS results in the same
thing but without the problems with FORM ACTION parameters).

> As far as session information, if I understand your question correctly, the
> setUser() method is designed to simply associate a session with a given
> user.  The details of that session are intended to be kept in the
> SessionData object that is also associated with the session.

Doesn't it look like two places for one thing? The session data can be
stored in the User class, right? Or wrong? What else must/might be in
the User class apart from the getName() method?

Another question: can there be two or more users logged in under same
comms.session.user.getName() and still keep their session data
independent from each other?

I myself use the User class only to get the time part of Enhydra session
handling working (session idle time handling etc). All the user related
data I keep in the SessionData but now I am wondering why I simply don't
store all the data in the User class?

Petr