Date:  11/29/2006 07:08:00 PM Msg ID:  003233
From:  FoxWeb Support Thread:  003226
Subject:  Re: When is Session ID assigned?
The session IDs generated by FoxWeb's session object are guaranteed to be unique, but feel free to use your own algorithm.  I do not recommend using a number series for this purpose, because this will make your session IDs predictable.  For example, a hacker could connect to your site, receive session id 100078 and be able to know that the site contains sessions for 100077.  He could then fake a request with 100077 as the ID to retrieve another user's data.

FoxWeb Support Team
support@foxweb.com email

Sent by John Sullivan on 11/29/2006 10:16:22 AM:
One more item. I am concerned that a session ID could be re-used so I need a scheme to clean up my user table. I assume using a date/time column and then reviewing that information and deleting records older than a certain date time would be appropriate. Maybe the best idea would be to have a user id table with an auto-increment column and use that column to store a unique user cookie id. In other words, if the last used id was "100077" then the next id would be "100078". I could go for many days before the need to delete older records.

Does this make sense?

John


Sent by John Sullivan on 11/29/2006 10:07:17 AM:

One more question -- I assume the setup code:

CookieID = Request.GetCookie("SessionID")
IF EMPTY(CookieID)
    * This is a new session
    Response.SetCookie("SessionID", Session.GetSessionID(), , '/')
ENDIF

** use cookie id to determine saved session user information



would be included at the top of every Foxweb page (.FWX page). Is this true?

My plan is to retrieve records based on the CookieID I established above and use this information like a shopping cart to reestablish information on the page relative to a specific user, retain information from page to page, etc.

John



Sent by John Sullivan on 11/28/2006 09:59:17 PM:
Thanks for the quick reply. It seems like setting an unique cookie is the way to go. It sounds like the Session object depends on cookies being enabled for the browser just like the GetCookie / SetCookie methods. What method would you recommend to determine if cookies are enabled for a browser so I can tell the user?

Thanks,

John



Sent by FoxWeb Support on 11/28/2006 08:56:14 PM:
If you don't need to store any session variables, then you should not be using the session object, because it's not as efficient as simply creating your own unique session ID and sending it as a cookie.  You can write your own code to generate these cookies, or you can simply use the session id that FoxWeb creates.  The following code uses a cookie, named "MySessionID" to store session IDs.  It first looks for this cookie, and if it can't find it, it creates one.  Subsequent requests from the user will return this cookie:

IF EMPTY(Request.GetCookie("SessionID"))
    * This is a new session
    Response.SetCookie("SessionID", Session.GetSessionID(), , '/')
ENDIF

Regarding the length of Session IDs, in most cases they will be 11 characters, but the algorithm that generates them uses random numbers for the first 6 digits, so it's possible that they will be shorter.

FoxWeb Support Team
support@foxweb.com email

Sent by John Sullivan on 11/28/2006 11:42:37 AM:
The Foxweb documentation states "A new session id is assigned to the same user after each request, unless the session is committed, by associating at least one session variable with it. "

Does this mean I need to use at least one Session.SetVar to create a consistent session for a visitor to my web site? If I use the Session.GetSessionID() does this set a session ID for the visitor, which will remain consistent until the  session timeout is reached or until I execute Session.Abandon?

I tested the session ID and on one test it was 10 characters in length and another it was 11 character. Why would this happen and is this normal? What I did was to retrieve the session ID using GetSessionID and then saved it to a file using the VFP Strtofile function. I reviewed the session ID after each test to see exactly what was saved in the file.

Why would the session ID length vary? It did not vary while in the session. If it started as a 10 character unique string it remained 10 characters. But creating a new session later showed it as an 11 character string for the new session.

What I want to do is use the session ID to create a shopping cart method for saving information to use from page to page.

Thanks for your help. By the way, I love Foxweb!

John Sullivan