Re: Statefulness (was ...URL...)

Pat La Claire (excalib!sparcy!pat@ucsd.edu)
Fri, 1 Dec 95 08:30:22 PST


> > Using the username/password as an identificator for a server-side session
> > state object.
>
> Unfortunately, the server can't set that. It would be nice if it could,
> but you have to get the user to type it in, which can be annoying.
> --Darren

we're required to have *some* form of access control to our httpd server. we
require a username/password combination to "login" to our application. once
login has been authorized, we generate a unique session key to identify this
user in the system until the user either logs out or timeouts. the session
key is passed between the forms as a hidden field. our cgi program embeds
the session key in the next form served. this way we maintain whatever state
information that we need in our application (which is a server that the cgi
calls). the application maintains a "user thread" that contains lots of stuff,
and is keyed off the session key.

this access control is by not means bullet proof, but all we need at this time.