Session Tags

Situation

A web designer is creating a site which will need users to log into it. Logging in will provide the user with a session tag, which must be provided to the site with each request. The web designer does not wish to rely on cookies or HTTP basic realm authentication, nor do they want to pass the session tag in a query string (or hidden form item) each time. The web designer also has a lot of legacy scripts which they wish to re-use. The scripts expect session information to be provided in an environment variable, and some of them create URLs of the form www.site.com/SESSION=sessionstring/<rest of url>

Solution

The session tag can be stored in the hostname of the site, and a rewrite script can be used to put this information into an environment variable (or two) for the legacy scripts. Use a request rewrite script similar to the following:

# Take URLs of the form www.site.com/SESSION=sessionstring/<url>
# and create www.sessionstring.site.com and remove the rest.
match URL into $ with ^/SESSION=([^./]+)/(.*)$
if matched then
    set IN:Host = www.$1.site.com
    set URL = /$2
endif
# Done with that - fortunately we can now fall through to...
 
# Take URLs of the form www.sessionstring.site.com and
# create SESSION=sessionstring as an environment variable
 
match IN:Host into $ with ^www\.([^.]+)\.site.com
if matched then
    set ENV:SESSION = $1
endif

Explanation

The first set of rewrite rules translates URLs that contain SESSION=something into URLs of the format www.sessionstring.site.com. This is done by finding /SESSION=something/ at the start of the URI and removing it, rewriting the hostname to match the form of www.session.site.com.

The second set of rules searches for session information in the URL, and translates it into a SESSION environment variable.

The two rules together then present a consistent interface to the scripts running on the site, without breaking any existing functionality.

Content Manager [Administrator] 16 December 2005