#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    11
    Rep Power
    0
    Hi,

    i have a kind of shopping cart on my web page - the user can log in with his name and password. Then i create an unique identifier for that user, save it on the server (i am using Perl and MySQL) and of course i somehow have to save this Unique id on the client's side, too. But i want to implement a solution without cookies, and i need a hint here: how is it done?
    BTW: security isn't very important.

    Thanks,
    Chris
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2000
    Location
    Southern California
    Posts
    73
    Rep Power
    15
    <BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by chr1701:
    Then i create an unique identifier for that user, save it on the server (i am using Perl and MySQL) and of course i somehow have to save this Unique id on the client's side, too. But i want to implement a solution without cookies[/quote]

    Presume that the session id you generate is 12345:

    Why not just add the session id to the URL's and hidden form fields? Then the user can do their business without cookies. The URL's could even have the session id as PATH_INFO, i.e.
    http://www.mydomain.com/script.cgi/12345?do_something

    Then you could fetch the session id from $ENV{PATH_INFO}

  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    11
    Rep Power
    0
    Ah, i didn't know the PATH_INFO thing. Thanks!

    Right now i am doing what you suggested - appending the unique key to all links.

    a href="index.cgi?UniqueKey=324234"

    This is not perfect - i.e. i wanted to have different cgi files like index.cgi, register.cgi, etc. If the user would type in the URL by hand while he's logged in, instead of clicking on a link, he'll lose his unique key.

    But i guess there's no way to avoid that...?
    (Well, I could use only one cgi file instead of many, or make the filenames unreadable, that the user is no longer able to write it by hand...)

    Chris
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2000
    Location
    Southern California
    Posts
    73
    Rep Power
    15
    <BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by chr1701:
    This is not perfect - i.e. i wanted to have different cgi files like index.cgi, register.cgi, etc. If the user would type in the URL by hand while he's logged in, instead of clicking on a link, he'll lose his unique key[/quote]

    You can check for the session key when the script is invoked, and if one doesn't exists you assign one and redirect them to the same place. Here's a simple example using CGI.pm:

    use CGI qw/:html/;
    $q = new CGI;
    $session_key = $q->path_info();
    $session_key =~ s|^/&#0124; &#0124;; # get rid of the initial slash

    # If no valid session key has been provided, then we
    # generate one, tack it on to the end of our URL as
    # additional path information, and redirect the user
    # to this new location.
    unless ($session_key =~ m{^d+$}) {
    $session_key = generate_session_key();
    print $q->redirect($q->url() . "/$session_key");
    exit 0;
    }

    sub generate_session_key {
    my $key;
    do {
    $key = int(rand(1000000));
    } until (! -e "$SESSION_DIR/$key");
    return $key;
    }

  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2000
    Posts
    11
    Rep Power
    0
    <BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by vpopper:
    You can check for the session key when the script is invoked, and if one doesn't exists you assign one and redirect them to the same place. Here's a simple example using CGI.pm:
    [/quote]

    Hmmm... that's a good idea, but if the user's already logged in i will lose that info and he will have to login again.

    When the user logs in i am saving the following information on the server side:
    - the username
    - the unique key
    - a timestamp when he logged in

    And when the user's logged in but then enters a URL by hand, and he therefore gets a new unique key, i don't know his username. He would have to enter it again.

    Chris


IMN logo majestic logo threadwatch logo seochat tools logo