Skip to content
Tags

, , , ,

Getting Rid of Session Data in PierCMS URLs

by sergio_101 on February 10th, 2011

Some Background

One of the by products of using PierCMS is that it includes the data (GET vars) in the url that connect the browser instance (or tab instance) to the session on the server. For awhile, I thought it was just a cosmetic thing. Seeing that URL bugged me. It just seemed ugly. I thought that I was just being OCD about the whole thing, until I started seeing other repercussions of these URLs.

What I found was that since adding the session data to the URL, by its very nature, makes the URL unique. I didn’t think too much about it until I started adding features to the site. The two that I found were:

Using Bit.ly

In using Bit.ly, one of the things that is ultimately important is being able to accurately account for how many people are forwarding your link. I started to make a habit of clipping out the session data from my url before I shortened them. Then, I started to see that not only was I sending my URLs around twitter, but so were others.

I then saw that while my stats should show links to the same story linked to the same URL, it wasn’t the case due to the extra unique variables at the end of the url.

Facebook Like

While I have not done any testing on this, I have noticed odd behaviors with the facebook “like” button. Since the Facebook “Like” button operates on the URL, I have a sneaking suspicion that this is at play with the facebook like button. In the past, I wrote a component for PierCMS that would insert the Like button into a story, I clipped the variables from the URL, but unless you think about it, you might not do that.

One BIG gotcha

There is one gotcha in all this. Pretend you just published a story on your blog/podcast. You are excited about it, so the first thing you might do is: send it to twitter, facebook, and hacker news. You most likely do this within minutes of writing your post.

Unless you think about it, your first instinct would be to swipe out the url, and send it along on its way. You do this, and continue working away on your site.

Here’s where it gets scary.

Since you sent the full url, anyone who clicks on that link will have full access to your session. This means that they will be logged in as you (probably with admin privs). This will be true of that link as long as that session stays alive on the server.

How to fix all of the Above

While I haven’t fully tested it (working on that now) it seems like an easy enough fix. Here’s what you do:

  1. Update your Pier Image to use cookies – Go into your /config/pier (or wherever your pier instance is mapped) and scroll down to the “Use Cookies” option. Click “Override” and set it to true.
  2. Go to your /status page, and clear all sessions.
  3. Clear all the cookies in your browser.

This will store the session data in your cookies. The one thing to keep in mind is, any other views of this url in this browsing instance will use the same credentials. Keep that in mind if you are used to using different windows for testing.

From → Uncategorized

No comments yet

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS