C++ cgi and Sessions
Author
<introduction>
Hello, as I was stuck with a hard question, I asked my friend if he can help me tackle down the problem. He seemed to be too busy this weekend, however encouraged me to come to this website. So, I'd like to say a little hello to the community before I post my first post.
</introduction>
I was wondering if there is an existing library for generating session ID's for C++ based web appliations that will be stored in a cache. ( Planning to use for a shopping cart and membership support. )
Why don't I use cookies? With the visitor's information saved on the server's cache, we can collect and manipulate data.
After some kind of research. Looks like I can manage sessions through the post and get methods. (URL and FORM SUBMITIONS) xxx.cgi?id=12We4dg2K9 with the ID number created with a random 10-12 digit alpha-numeric value. The only problem to this general solution is that my cgi program uses iframes, and I don't know how I can make my iframes communicate with each other without using cookies.
I guess the solution for this would be to somehow send information from the main iframe window to the server in intervals. and other iframe windows will receive information from the server in runtime without refreshing the page ( something like AJAX technologies I guess.. )
and as far as security goes, i'm not sure if post and get methods of sessioning is secure, nor do I know how to make it secure.
If anybody can send me to the right direction. Thank you very much!
Any kind of related links will be greatly appreciated. Thanks a whole bunch once again.
I'm not sure if there is a library for that, but I would say even if there is something, it will turn out to be part of a much bigger system. With sessioning, you will probably have to store the ID in some DB table (especially if you're planning on persisting it over several weeks). You can store the session ID in a cookie and then lookup all the other stuff you want from the DB, given that session ID.
Make sure, however, that anytime something that requires security is done (access to account settings, making a purchase, etc.), you require authentication by password (even if it's set to remember them on that computer or whatever - ALWAYS always require authentication when doing something secure).
I guess I'm kinda rambling. If your main interest is more in setting up some store and selling goods on a site you maintain (as opposed to learning the technical side of things), I would recommend you go with a commercially available solution, because this is a MUCH more difficult problem to solve than you probably imagine, and I've seen some ass-backwards systems online that I don't know why people trust. Just be careful :-).
Make sure, however, that anytime something that requires security is done (access to account settings, making a purchase, etc.), you require authentication by password (even if it's set to remember them on that computer or whatever - ALWAYS always require authentication when doing something secure).
I guess I'm kinda rambling. If your main interest is more in setting up some store and selling goods on a site you maintain (as opposed to learning the technical side of things), I would recommend you go with a commercially available solution, because this is a MUCH more difficult problem to solve than you probably imagine, and I've seen some ass-backwards systems online that I don't know why people trust. Just be careful :-).
Author
Currently the program can do this assuming that the cookies are set as off on the client side.
1) on the first page, if there is no unique-id set, then the program creates a unique id for the visitor.
2) there will be a &id=10-digit-unique-id (a tracker) attached to every single link.
3) however, when back is pressed all the way back to the 1st page... the id is reset, yet my computer is left with that unique id still saved in the cache. ( useless information is stored on the computer )
Can I do anything about this without cookies? I can't think of any...
But when assuming that cookies are on, once the unique-id is marked, the unique id can be used throughout the whole session even when the visitor revisits the unique-id initialization page.
Another concern is bookmarks. What do I do for bookmarks?
Let's assume that a 10-digit-unique-id is created on march 5th 2005. and this page has been bookmarked. a year later, today. Somebody has coincidently recieved the same unique id. On the same day, coincidently, the user who has bookmarked the page just happened to use the bookmark again. Then two people will be manipulating the session file, thus bringing unwanted results.
One way I have thought was to record the user's ip address in the session file so that only the person with matching ip address stored in that session-id can manipulate the new data.
[moderators, can you please relocate this post to the web development section please?]
1) on the first page, if there is no unique-id set, then the program creates a unique id for the visitor.
2) there will be a &id=10-digit-unique-id (a tracker) attached to every single link.
3) however, when back is pressed all the way back to the 1st page... the id is reset, yet my computer is left with that unique id still saved in the cache. ( useless information is stored on the computer )
Can I do anything about this without cookies? I can't think of any...
But when assuming that cookies are on, once the unique-id is marked, the unique id can be used throughout the whole session even when the visitor revisits the unique-id initialization page.
Another concern is bookmarks. What do I do for bookmarks?
Let's assume that a 10-digit-unique-id is created on march 5th 2005. and this page has been bookmarked. a year later, today. Somebody has coincidently recieved the same unique id. On the same day, coincidently, the user who has bookmarked the page just happened to use the bookmark again. Then two people will be manipulating the session file, thus bringing unwanted results.
One way I have thought was to record the user's ip address in the session file so that only the person with matching ip address stored in that session-id can manipulate the new data.
[moderators, can you please relocate this post to the web development section please?]
If you need a globally unique ID... use a guid.
Guids are 128 bits, and they really tend to be unique.
Toss the GUID through a hashing function (so people can't log into other people's sessions trivially).
One case-sensative alpha-numeric character is ~5.95 bits of data. So 22 case-sensative alpha-numeric characters can represent a guid.
And why don't you use cookies?
If you cannot modify the cache code to include the cookies the client sends to you, simply set an identical cookie and session ID in the URL. Repeatedly check in your CGI code that both the cookie and the session ID match (if they do not I'd be tempted to simply boot the user with an error message, or clear the cookie and the session ID and ask them to log in again.)
Guids are 128 bits, and they really tend to be unique.
Toss the GUID through a hashing function (so people can't log into other people's sessions trivially).
One case-sensative alpha-numeric character is ~5.95 bits of data. So 22 case-sensative alpha-numeric characters can represent a guid.
And why don't you use cookies?
If you cannot modify the cache code to include the cookies the client sends to you, simply set an identical cookie and session ID in the URL. Repeatedly check in your CGI code that both the cookie and the session ID match (if they do not I'd be tempted to simply boot the user with an error message, or clear the cookie and the session ID and ask them to log in again.)
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
