Forum Moderators: DixonJones
They safe the session id in a cookie – easy and not very intresting; fails if cookies are disabled
They add the session id at the end of the url and build all links on the page accordingly – fine but I’ve two questions here:
1. How do they prevent a session id to appear in a search engines index (cloaking???)?
2. What if someone wants to link to my site (he will use the url with the session id)? Yes, I could use browser type informations etc. but it wouldn’t help much. However, cause of proxys I can not use the ips either. Best way would be to check the referrer, right?
So the following would be my solution so far.
Include the session id in the url.
Check on every page if the referrer is an extern source (if yes set up a new session).
Check also if session is older than 7 days, if yes set up a new session? Is this done automatically if I use php4s session support?
What do you think?
Maybe it seems that I’ve answered all questions by myself but I want to be sure I don’t miss an option.
btw: it’s time someone brings up a new standard for sessions wich – unlike cookies – does not scare users.
The basic jist is that cookies would be the best way in a perfect world, but since people turn them off, it isn't.
The best thing I can think of is to associate a session with an ip, kinda like a user/password. If the ip doesn't match the original session, create a new session. For spiders - cloak and deliver the same content statically.
I could do cloaking and deliver a session-id-free version but where can I get a list of robots?
Also someone told me some robots will exclude me if I do cloaking, is this true?
I think referrers are the least valuable of all. Filtering programs often filter them out, they are often flat wrong (browser bugs), and many of the newer browsers (opera) come with an easy option to disable them. I've not run with referrers on full time in years.
Lastly, if you can manage all this, how about tracking them on disk?
What I do for session tracking:
- Write a file with their ip address as the file name,
- in the file:
.- put their agent name,
.- time of last view,
.- last page view
.- referrer,
.- and any cookies found,
Given those bits of info, you can pretty much id anyone at any time. It's also really quick and system friendly to do checks for previous views:
if (-e "$sessiondirectory/$ENV{REMOTE_ADDR}") {
seen this guy before...
}
else {
dude, it's a new user...
}
Then I run a cron job to delete those ip session files that are "out of date" after a few hours.
I do run a couple of extra checks for any host that has "proxy" in the name and use cookies for those folks.
That way, the session tracking is 100% behind the scenes. They don't even know it, and it is link and search engine friendly.
...works for me (tm)
But it leaves "proxy, disabled cookies" users. Probably there is no 100% solution. :-(
In my environment 10% had cookies disabled.
Do proxys always (at least the official ones) have the word proxy in the host name?
