Session ID lurks in urls

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Session ID lurks in urls

Patrick Larkin-2
Hi -

I'm trying to track down the cause of this problem but perhaps this is just the way it is.

On every page of the site loaded via include I have something like this:

    Session_start( -Name='MySession', -Expires='5', -UseAuto);

I used -UseAuto because I don't want the session id to be in the URL.  The session id never appears in the URL as I navigate the site.  I go to our login page and I log in.  The login page ends the empty session I  had and creates a new one filled with goodies.  As I navigate the site post-login, there still are not session ids in the URLs.  Perfect.  But then I log out using a simple script containing:

    [session_end: -Name='MySession']
    [redirect_url: '/staff/']  

When the logout executes and I end up on the redirected page, ALL the URLs linked on that page have session ids but just for one click, then they all go away again.  

Thanks...

Patrick
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Session ID lurks in urls

Jonathan Guthrie-3
What you want is the -usecookie flag instead.

http://www.lassosoft.com/lassoDocs/languageReference/obj/Session_Start?v=8

Jono

On 2013-01-25, at 11:28 PM, Patrick Larkin <[hidden email]> wrote:

> Hi -
>
> I'm trying to track down the cause of this problem but perhaps this is just the way it is.
>
> On every page of the site loaded via include I have something like this:
>
>    Session_start( -Name='MySession', -Expires='5', -UseAuto);
>
> I used -UseAuto because I don't want the session id to be in the URL.  The session id never appears in the URL as I navigate the site.  I go to our login page and I log in.  The login page ends the empty session I  had and creates a new one filled with goodies.  As I navigate the site post-login, there still are not session ids in the URLs.  Perfect.  But then I log out using a simple script containing:
>
>    [session_end: -Name='MySession']
>    [redirect_url: '/staff/']  
>
> When the logout executes and I end up on the redirected page, ALL the URLs linked on that page have session ids but just for one click, then they all go away again.  
>
> Thanks...
>
> Patrick
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Session ID lurks in urls

Patrick Larkin-2
And if cookies are turned off?  

Is what I'm experiencing inevitable or am I doing something wrong?



On Jan 25, 2013, at 11:33 PM, Jonathan Guthrie wrote:

> What you want is the -usecookie flag instead.
>
> http://www.lassosoft.com/lassoDocs/languageReference/obj/Session_Start?v=8
>
> Jono
>
> On 2013-01-25, at 11:28 PM, Patrick Larkin <[hidden email]> wrote:
>
>> Hi -
>>
>> I'm trying to track down the cause of this problem but perhaps this is just the way it is.
>>
>> On every page of the site loaded via include I have something like this:
>>
>>   Session_start( -Name='MySession', -Expires='5', -UseAuto);
>>
>> I used -UseAuto because I don't want the session id to be in the URL.  The session id never appears in the URL as I navigate the site.  I go to our login page and I log in.  The login page ends the empty session I  had and creates a new one filled with goodies.  As I navigate the site post-login, there still are not session ids in the URLs.  Perfect.  But then I log out using a simple script containing:
>>
>>   [session_end: -Name='MySession']
>>   [redirect_url: '/staff/']  
>>
>> When the logout executes and I end up on the redirected page, ALL the URLs linked on that page have session ids but just for one click, then they all go away again.  
>>
>> Thanks...
>>
>> Patrick
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Session ID lurks in urls

Bil Corry-3
Then users won't have a valid session.  If your app requires one, you'll have to display an error that cookies are required to use the site.


- Bil

On Jan 26, 2013, at 5:53 AM, Patrick Larkin <[hidden email]> wrote:

> And if cookies are turned off?  
>
> Is what I'm experiencing inevitable or am I doing something wrong?
>
>
>
> On Jan 25, 2013, at 11:33 PM, Jonathan Guthrie wrote:
>
>> What you want is the -usecookie flag instead.
>>
>> http://www.lassosoft.com/lassoDocs/languageReference/obj/Session_Start?v=8
>>
>> Jono
>>
>> On 2013-01-25, at 11:28 PM, Patrick Larkin <[hidden email]> wrote:
>>
>>> Hi -
>>>
>>> I'm trying to track down the cause of this problem but perhaps this is just the way it is.
>>>
>>> On every page of the site loaded via include I have something like this:
>>>
>>>  Session_start( -Name='MySession', -Expires='5', -UseAuto);
>>>
>>> I used -UseAuto because I don't want the session id to be in the URL.  The session id never appears in the URL as I navigate the site.  I go to our login page and I log in.  The login page ends the empty session I  had and creates a new one filled with goodies.  As I navigate the site post-login, there still are not session ids in the URLs.  Perfect.  But then I log out using a simple script containing:
>>>
>>>  [session_end: -Name='MySession']
>>>  [redirect_url: '/staff/']  
>>>
>>> When the logout executes and I end up on the redirected page, ALL the URLs linked on that page have session ids but just for one click, then they all go away again.  
>>>
>>> Thanks...
>>>
>>> Patrick
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso
>>> [hidden email]
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Session ID lurks in urls

Jonathan Guthrie-3
In reply to this post by Patrick Larkin-2
If cookies are tuned off then you won't have a session unless you -useauto.

Jono

On 2013-01-25, at 11:53 PM, Patrick Larkin <[hidden email]> wrote:

> And if cookies are turned off?  
>
> Is what I'm experiencing inevitable or am I doing something wrong?
>
>
>
> On Jan 25, 2013, at 11:33 PM, Jonathan Guthrie wrote:
>
>> What you want is the -usecookie flag instead.
>>
>> http://www.lassosoft.com/lassoDocs/languageReference/obj/Session_Start?v=8
>>
>> Jono
>>
>> On 2013-01-25, at 11:28 PM, Patrick Larkin <[hidden email]> wrote:
>>
>>> Hi -
>>>
>>> I'm trying to track down the cause of this problem but perhaps this is just the way it is.
>>>
>>> On every page of the site loaded via include I have something like this:
>>>
>>>  Session_start( -Name='MySession', -Expires='5', -UseAuto);
>>>
>>> I used -UseAuto because I don't want the session id to be in the URL.  The session id never appears in the URL as I navigate the site.  I go to our login page and I log in.  The login page ends the empty session I  had and creates a new one filled with goodies.  As I navigate the site post-login, there still are not session ids in the URLs.  Perfect.  But then I log out using a simple script containing:
>>>
>>>  [session_end: -Name='MySession']
>>>  [redirect_url: '/staff/']  
>>>
>>> When the logout executes and I end up on the redirected page, ALL the URLs linked on that page have session ids but just for one click, then they all go away again.  
>>>
>>> Thanks...
>>>
>>> Patrick
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso
>>> [hidden email]
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Session ID lurks in urls

Patrick Larkin-2
In reply to this post by Bil Corry-3
Which is why I'm using -useauto.

I'm just wondering about my situation where the I'd is shown but just in one scenario.

Sent from my iPad

On Jan 26, 2013, at 12:06 AM, Bil Corry <[hidden email]> wrote:

> Then users won't have a valid session.  If your app requires one, you'll have to display an error that cookies are required to use the site.
>
>
> - Bil
>
> On Jan 26, 2013, at 5:53 AM, Patrick Larkin <[hidden email]> wrote:
>
>> And if cookies are turned off?  
>>
>> Is what I'm experiencing inevitable or am I doing something wrong?
>>
>>
>>
>> On Jan 25, 2013, at 11:33 PM, Jonathan Guthrie wrote:
>>
>>> What you want is the -usecookie flag instead.
>>>
>>> http://www.lassosoft.com/lassoDocs/languageReference/obj/Session_Start?v=8
>>>
>>> Jono
>>>
>>> On 2013-01-25, at 11:28 PM, Patrick Larkin <[hidden email]> wrote:
>>>
>>>> Hi -
>>>>
>>>> I'm trying to track down the cause of this problem but perhaps this is just the way it is.
>>>>
>>>> On every page of the site loaded via include I have something like this:
>>>>
>>>> Session_start( -Name='MySession', -Expires='5', -UseAuto);
>>>>
>>>> I used -UseAuto because I don't want the session id to be in the URL.  The session id never appears in the URL as I navigate the site.  I go to our login page and I log in.  The login page ends the empty session I  had and creates a new one filled with goodies.  As I navigate the site post-login, there still are not session ids in the URLs.  Perfect.  But then I log out using a simple script containing:
>>>>
>>>> [session_end: -Name='MySession']
>>>> [redirect_url: '/staff/']  
>>>>
>>>> When the logout executes and I end up on the redirected page, ALL the URLs linked on that page have session ids but just for one click, then they all go away again.  
>>>>
>>>> Thanks...
>>>>
>>>> Patrick
>>>> #############################################################
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list Lasso
>>>> [hidden email]
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso
>>> [hidden email]
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Session ID lurks in urls

Jolle Carlestam-3
26 jan 2013 kl. 15:37 skrev Patrick Larkin <[hidden email]>:

> Which is why I'm using -useauto.
>
> I'm just wondering about my situation where the I'd is shown but just in one scenario.

UseAuto means that Lasso will decorate all URLs on a page the first time the session is created. If it then receives a cookie on the following calls it will use the cookie but if no cookie is present it will continue to decorate the URLs. Just the way you want it.

What happens for you is that you terminate one session and start another. This new session knows nothing about the old sessions cookie and thus starts the procedure over again, decorating the URL when first created. Sessions are not aware of other sessions created for the same visitor. It can only keep track of itself.

HDB
Jolle
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>