views:

52

answers:

3

Most session are based on cookies,like php/jsp

But as for mobile devices,there are quite a few that doesn't support cookies.

How to generate a unique indentify for each user in the same corporation that uses the same IP address?

A: 

When cookies fail, an ol' good query string comes to the scene. Less secure, yes, but you have no choice anyway. You can refer to php session manual for the details

Col. Shrapnel
Have you heard of NAT?
@user198729 yes, I have one of my own. So?
Col. Shrapnel
Can you elaborate how to implement NAT?If so,a query string is not needed,don't you think?
@user198729 hehe got ya :) I have to think of it but at first glance it seems to be impossible.
Col. Shrapnel
Does any rfc say that NAT information is trimmed by the router?Why it's so hard to do in web server level?
@user198729 there is no such thing as "NAT information". The is only NAT translation table and that table exists only in the router's RAM
Col. Shrapnel
A: 

session_regenerate_id(); // get a new session id

if session cookies are enabled, use of session_regenerate_id() will also submit a new session cookie with the new session id.

nik
What do you mean to do?
Ok! lemme know how u distinguish different user.....In php u can generate different session id using the said method
nik
So, what's the use of this method?
Col. Shrapnel
one can regenerate and get the session id each time different user come in
nik
@nik,it can't persistent without supporting cookie
how do u know about different userdont u have login form or something
nik
+1  A: 

Both PHP and JSP supports session tracking through URL's.

In PHP you just have to pass session_id() as a PHPSESSID request parameter through forms as hidden input element and links as part of query string.

<form action="page.php">
    <input type="hidden" name="PHPSESSID" value="<?= session_id() ?>">
    ...
</form>

<a href="page.php?PHPSESSID=<?= session_id() ?>">link</a>

The PHP engine will automatically scan for it and apply it in cookieless sessions.

In JSP it's called "URL rewriting" (which has a quite different meaning in PHP / Apache HTTPD world). In the view side, you can make use of JSTL <c:url> to rewrite the URL if necessary (it will automatically detect the need).

<form action="<c:url value="page.jsp">">
    ...
</form>

<a href="<c:url value="page.jsp">">link</a>

In the controller-side, when doing a server-side redirect inside the same context, you need to run HttpServletResponse#encodeRedirectURL() on the URL before doing sendRedirect().

response.sendRedirect(response.encodeRedirectURL("page.jsp"));

Either way, it will automatically append jsessionid to the URL, in the following syntax:

/page.jsp;jsessionid=5AE12D39BCE87F61029876BF1AA28

The servletcontainer will automatically scan for it and apply it in cookieless sessions.

BalusC
Seems it's the same as @Col. Shrapnel's .But can we identify users by **NAT**?
Session ID's are not bound to IP addresses, if you seem to think that. Else you have to elaborate more about the *actual* problem you're struggling with, or to dive a bit more in the techinical details ("how does it work under the hoods?").
BalusC
I don't know how NAT work under the hoods,that's why I ask this question here:(
Well, you seem to expect that sessions are bound to IP addresses. This is **not true**. Which means, you can just safely make use of sessions to identify users.
BalusC
PHP's default session mechanism won't work if cookie is not supported,this is the case for many mobile devices.So in that case we need to **implement a identify ourselves**,which I know isn't simply IP address,hode you get what I mean:)
:o In other words, you missed the whole point of my answer? Pass session ID in URL instead of cookie.
BalusC
I get your point,which is quite similar to @Col. Shrapnel's,but a longer version:) However I'm more willing to see a solution based on **NAT**
You **cannot** reliably identify unique users by IP address. NAT or not. There are users with a dynamic IP address which can change from minute to minute. There are users who sits behind a proxy which can be shared among millions of another users. The only thing which you can be sure about are the HTTP request and response itself. You can pass cookies along it. If the user doesn't accept it, then remains only the request URL.
BalusC