Webmaster World Forum http://www.webmasterworld.com

Page is a not externally linkable
- Code, Content, and Presentation
-- PHP Server Side Scripting
---- Bag-O-Tricks for PHP II

andreasfriedrich - 9:49 pm on Mar 4, 2003 (gmt 0)

>>Great work, andreas :)

Thanks, ruserious.

>>I would advice people to [...] not use Session-ids in the URI

I don´t mind having session ids in the URL for certain applications. And I do not believe that generally advising people against it is really wise. But I do admit that choosing your method of transmitting the session id should be an informed decision. You need to know the pros and cons of each approach. And when in doubt people should not use them in the URI ;).

>>goes against the idea and essence of what a URL/URI is

Not necessarily so. Since I am looking for a job right now I created an online resume and portfolio. The site is password protected and the session id is stored in the id. Now considering that a URI is used to point to a certain resource somewhere on the web that is exactly what my URIs containing a session id do. If you remove the session id it will point to a totally different resource, since all these pages are tailored to specific potential employers. Thus the session id does not only serve to identify who is accessing the page but also when somebody is accessing the page. Depending on the time resources may look different as well. Were the session id contained in a cookie the URL would not sufficiently identify a resource at any given time. Now that is what I´d call to go against the idea and essence of what a URL/URI is ;).

Putting the session id into the URL eliminated any problems with company firewalls filtering out cookies, cookies being turned off, browsers popping up a dialogue box to ask whether they should accept cookies, etc. All external links remove the session id from the URI to keep it from appearing in referrer logs. Sessions time out after 10 minutes of inactivity. I do believe this to be the best possible solution for this application.

Of course things would be different if I wanted these pages to be spidered by SEs.

So it seems that I would advise against session ids in the URL, too. I´d just add: unless you know what you are doing ;).

>>when the session dies

My sessions expire or time out but they never just die ;) Seriously, what kind of problems are you thinking about?

Andreas

Thread source:: http://www.webmasterworld.com/php/334.htm
Brought to you by WebmasterWorld: http://www.webmasterworld.com