<html>
<head>
<title>Apache::ASP::Sessions</title>
<style type="text/css">
<!--
td { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 14px}
font { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 14px}
.title { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 16px}
-->
</style>
</head>
<body bgcolor=black link=#063678 alink=#ff5599 vlink=#993399
marginheight=0 marginwidth=0 leftMargin=0 topMargin=0>
<center>
<table border=0 cellpadding=0 width=99% cellspacing=8>
<tr><td align=center>
<table border=0 cellpadding=3 width=100% cellspacing=0>
<tr bgcolor=#063678>
<td>
<table border=0 cellpadding=1 cellspacing=0 width=100%>
<tr>
<td><img border=0 src=asptitlelogo.gif alt="Apache::ASP" width=267 height=44 ></td>
<td align=right></td>
</tr>
</table>
</td>
</tr>
<tr>
<td bgcolor=#005196 align=center>
<b>
<font color=#ffffff><% Web Applications with Apache & mod_perl %></font>
</b>
</td>
</tr>
</table>
<table border=0 cellpadding=10 cellspacing=0 width=100% bgcolor=#005196>
<tr>
<td valign=top width=120 bgcolor=#005196>
<table cellpadding=5 cellspacing=0 border=1 bgcolor=white><tr><td>
<table border=0 cellpadding=0 cellspacing=0 width=105 bgcolor=white>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="index.html" style="text-decoration:none"><font color=#063678>INTRO</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="install.html" style="text-decoration:none"><font color=#063678>INSTALL</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="config.html" style="text-decoration:none"><font color=#063678>CONFIG</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="syntax.html" style="text-decoration:none"><font color=#063678>SYNTAX</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="events.html" style="text-decoration:none"><font color=#063678>EVENTS</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="objects.html" style="text-decoration:none"><font color=#063678>OBJECTS</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="ssi.html" style="text-decoration:none"><font color=#063678>SSI</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr>%</nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><font color=#993399>SESSIONS</font></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="xml.html" style="text-decoration:none"><font color=#063678>XML/XSLT</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="cgi.html" style="text-decoration:none"><font color=#063678>CGI</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="perlscript.html" style="text-decoration:none"><font color=#063678>PERLSCRIPT</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="style.html" style="text-decoration:none"><font color=#063678>STYLE GUIDE</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="faq.html" style="text-decoration:none"><font color=#063678>FAQ</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="tuning.html" style="text-decoration:none"><font color=#063678>TUNING</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="kudos.html" style="text-decoration:none"><font color=#063678>CREDITS</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="support.html" style="text-decoration:none"><font color=#063678>SUPPORT</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="sites.html" style="text-decoration:none"><font color=#063678>SITES USING</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="testimonials.html" style="text-decoration:none"><font color=#063678>TESTIMONIALS</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="resources.html" style="text-decoration:none"><font color=#063678>RESOURCES</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="todo.html" style="text-decoration:none"><font color=#063678>TODO</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="changes.html" style="text-decoration:none"><font color=#063678>CHANGES</font></a></nobr></b></font></td>
</tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="license.html" style="text-decoration:none"><font color=#063678>LICENSE</font></a></nobr></b></font></td>
</tr>
<tr><td colspan=2><hr size=1></td></tr>
<tr>
<td bgcolor=white><font size=-2 face="verdana" color=#993399><b><nobr> </nobr></b></font></td>
<td bgcolor=white ><font face="verdana,helvetica" size=-1><b><nobr><a href="eg/index.html" style="text-decoration:none"><font color=#063678>EXAMPLES</font></a></nobr></b></font></td>
</tr>
</table>
</td></tr>
</table>
<br>
<center>
<a href=http://www.apache-asp.org/><img src="powered_by_apache_asp.jpg" width="88" height="31" alt="Powered by Apache::ASP" border="0"></a>
<br>
<a href=http://perl.apache.org><img src="powered_by_modperl.gif" width="88" height="31" alt="Powered by ModPerl and Apache" border="0"></a>
<br>
<a href=http://www.perl.com><img src="rectangle_power_perl.gif" width="88" height="31" alt="Powered by Perl" border="0"></a>
</center>
</center>
</td>
<td valign=top bgcolor=white>
<font size=+0 face=verdana,arial>
<font face=verdana><font class=title size=+1 color=#555555><b>SESSIONS</b></font>
<font face="courier new" size=3><pre>
</pre></font>Cookies are used by default for user $Session support ( see <a href=objects.html><font size=-1 face=verdana><b>OBJECTS</b></font></a> ).
In order to track a web user and associate server side data
with that client, the web server sets, and the web client returns
a 32 byte session id identifier cookie. This implementation
is very secure and may be used in secure HTTPS transactions,
and made stronger with SecureSession and ParanoidSession
settings (see <a href=config.html><font size=-1 face=verdana><b>CONFIG</b></font></a> ).
<font face="courier new" size=3><pre>
</pre></font>However good cookies are for this kind of persistent
state management between HTTP requests, they have long
been under fire for security risks associated with
JavaScript security exploits and privacy abuse by
large data tracking companies.
<font face="courier new" size=3><pre>
</pre></font>Because of these reasons, web users will sometimes turn off
their cookies, rendering normal ASP session implementations
powerless, resulting in a new $Session generated every request.
This is not good for ASP style sessions.</font>
<p>
<a name=Cookieless%20Sf057c84c></a>
<font face=verdana><font class=title size=+0 color=#555555><b>Cookieless Sessions</b></font>
<font face="courier new" size=3><pre>
*** See WARNING Below ***
</pre></font>So we now have more ways to track sessions with the
SessionQuery* <a href=config.html><font size=-1 face=verdana><b>CONFIG</b></font></a> settings, that allow a web developer
to embed the session id in URL query strings when use
of cookies is denied. The implementations work such that
if a user has cookies turned on, then cookies will be
used, but for those users with cookies turned off,
the session ids will be parsed into document URLs.
<font face="courier new" size=3><pre>
</pre></font>The first and easiest method that a web developer may use
to implement cookieless sessions are with SessionQueryParse*
directives which enable Apache::ASP to the parse the session id
into document URLs on the fly. Because this is resource
inefficient, there is also the SessionQuery* directives
that may be used with the $Server->URL($url,\%params) method to
generate custom URLs with the session id in its query string.
<font face="courier new" size=3><pre>
</pre></font>To see an example of these cookieless sessions in action,
check out the <a href=eg/session_query_parse.asp>./site/eg/session_query_parse.asp</a> example.
<font face="courier new" size=3><pre>
*** WARNING ***
</pre></font>If you do use these methods, then be VERY CAREFUL
of linking offsite from a page that was accessed with a
session id in a query string. This is because this session
id will show up in the HTTP_REFERER logs of the linked to
site, and a malicious hacker could use this information to
compromise the security of your site's $Sessions, even if
these are run under a secure web server.
<font face="courier new" size=3><pre>
</pre></font>In order to shake a session id off an HTTP_REFERER for a link
taking a user offsite, you must point that link to a redirect
page that will redirect a user, like so:
<font face="courier new" size=3><pre>
<%
# "cross site scripting bug" prevention
my $sanitized_url =
$Server->HTMLEncode($Response->QueryString('OffSiteUrl'));
%>
<html>
<head>
<meta http-equiv=refresh content='0;URL=<%=$sanitized_url%>'>
</head>
<body>
Redirecting you offsite to
<a href=<%=$sanitized_url%> >here</a>...
</body>
</html>
</pre></font>Because the web browser visits a real page before being redirected
with the <meta> tag, the HTTP_REFERER will be set to this page.
Just be sure to not link to this page with a session id in its
query string.
<font face="courier new" size=3><pre>
</pre></font>Unfortunately a simple $Response->Redirect() will not work here,
because the web browser will keep the HTTP_REFERER of the
original web page if only a normal redirect is used.</font>
</font>
</td>
<td bgcolor=white valign=top>
</td>
</tr>
<tr bgcolor=#063678>
<td colspan=3 align=center width=80%>
<font face=verdana color=white size=-1>
Copyright © 1998-2008,
<a href=http://www.chamas.com><font color=white>Chamas Enterprises Inc.</font></a>
</font>
</td>
</tr>
</table>
</td></tr>
</table>
</center>
</body>
</html>