Re: session-id redux

Rick Troth (TROTH@ua1vm.ua.edu)
Thu, 27 Jul 95 12:01:39 CDT


> Con: Cookies should not be used because COOKIE-ACCESSED CONTENT IS NOT
> CACHEABLE. The cookie must be part of the key a proxy cache uses to
> find cache hits, or else invalid responses are almost guaranteed for
> content whose form depends on information in the cookie (such as the
> shopping cart example).

I'm looking at authentication state to pass from click-to-click.
In this case, documents better darn well NOT be cached in such a way
that someone else (unathenticated or unauthorized) can get them.
But you know this.

What we're talking about now is putting state info into the
URL instead of in the HTTP headers like this

http://serverhost/path/path/path;state;blah;blah

such that the server can set PATH_INFO to "state;blah;blah"
for the fronting CGI script to utilize. With the cheaper Netsite
(my employer; not UA) we're running, this works. More importantly
it works for the majority of browsers. It's not as pretty as I
would like, but it's functional. I actually prefer it for some
other applications (from a former life). The only downside as far
as the implementation goes is that the server doesn't automagically
parse on the first semi-colon.

This method gets the desired results from the proxies.

--
Rick Troth <troth@ua1vm.ua.edu>, Houston, Texas, USA
http://ua1vm.ua.edu/~troth/