On Mon, Aug 1, 2011 at 10:07 AM, Gustavo Enrique Jimenez <gejime...@gmail.com> wrote: > Hi: > > I send cookies to the client. One of those cookies is a "sessionID", > a random number generated at login. > My sequence is something like > > Login > Client: username/password ->Login html button > Server: run cgi app with username/password parameters -> ¿Valid user? > -> generate sessionID, store in DB. Send sessionID to the client as a > cookie. > > Transaction > Client: Product -> Search product html button (sessionID is also sent > to the server) > Server: run cgi app with product/username parameter. sessionID is > implicit, as any cookie. if username/sessionID from the client is the > same as in the DB, send data to the client. > > The sessionID cookie will remain until logout or expire time. This > way, you don't have to store password in html. The sessionID cookie > must be random+hash, unique to every session. sessionID is sort of > temporal password. > > Cliente: username -> Logout html button > Server: run cgi app with username/sessionID. Verify > username/sessionID, then send an empty sessionID cookie (this will > delete the sessionID cookie in client)
I agree with this one. The only thing I could add would be AJAX & WebSockets for really advanced applications. _______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
