Date:  12/04/2006 12:08:46 PM Msg ID:  003241
From:  John Sullivan Thread:  003226
Subject:  Re: When is Session ID assigned?
Hi Foxweb Support,

I am still not sure my question was answered. Are you saying Foxweb will not reuse session id's like in a 30 day time frame assuming 100 new session id's per day? I would like my session id's to be good (unique) for about 30 days since ,my users will come to the web site, do some work, leave and then come back again over the next several weeks.

I would rather use Session.GetSessionID() but the 30 day uniqueness is very import.

I look forward to your response.


Sent by FoxWeb Support on 12/04/2006 12:01:01 PM:
When a request arrives, FoxWeb looks for a session id cookie.  If no such cookie exists, FoxWeb generates a new session id string.  However, FoxWeb does not the session id cookie to the browser and does not create a record in the session table, unless the requested script has created at least one session variable.  There's no reason to send a cookie if this cookie will not be used in subsequent requests and the same holds true for records in the session table.

I only recommended that you Session.GetSessionID() because it utilizes an algorithm that ensures uniqueness.  You are really not using any other functionality in the session object.  You could just as easily generate a unique session id with UUIDs, random numbers, or other methods.

In general you should choose an session id algorithm that always creates a unique id and you should never re-use session ids.

FoxWeb Support Team email

Sent by John Sullivan on 11/29/2006 09:46:51 PM:
Using fw_enter.fwx as the point to establish a cookie sounds like a good idea.

Please help me understand the Session.GetSessionID(). This information is in the description for it:

"A new session id is assigned to the same user after each request, unless the session is committed, by associating at least one session variable with it."

Exactly what does this mean? If I use Session.GetSessionID() to retrieve a unique id for the cookie do I need to also store one variable?

One more question: If the session timeout or Session.Abandon is used will or could the same session id be re-used for a session related to a new web site user? My cookie id must be unique and remain that way for about 30 days, which is the expiration I plan for my cookies.

Again, thanks for your help.


Sent by FoxWeb Support on 11/29/2006 07:04:17 PM:
You could include the code in each script, but if you need it in all your scripts, then you could include it in fw_enter.prg.  For details, please refer to the Global Procedures topic in the FoxWeb documentation. 

FoxWeb Support Team email

Sent by John Sullivan on 11/29/2006 10:07:17 AM:

One more question -- I assume the setup code:

CookieID = Request.GetCookie("SessionID")
    * This is a new session
    Response.SetCookie("SessionID", Session.GetSessionID(), , '/')

** use cookie id to determine saved session user information

would be included at the top of every Foxweb page (.FWX page). Is this true?

My plan is to retrieve records based on the CookieID I established above and use this information like a shopping cart to reestablish information on the page relative to a specific user, retain information from page to page, etc.


Sent by John Sullivan on 11/28/2006 09:59:17 PM:
Thanks for the quick reply. It seems like setting an unique cookie is the way to go. It sounds like the Session object depends on cookies being enabled for the browser just like the GetCookie / SetCookie methods. What method would you recommend to determine if cookies are enabled for a browser so I can tell the user?



Sent by FoxWeb Support on 11/28/2006 08:56:14 PM:
If you don't need to store any session variables, then you should not be using the session object, because it's not as efficient as simply creating your own unique session ID and sending it as a cookie.  You can write your own code to generate these cookies, or you can simply use the session id that FoxWeb creates.  The following code uses a cookie, named "MySessionID" to store session IDs.  It first looks for this cookie, and if it can't find it, it creates one.  Subsequent requests from the user will return this cookie:

IF EMPTY(Request.GetCookie("SessionID"))
    * This is a new session
    Response.SetCookie("SessionID", Session.GetSessionID(), , '/')

Regarding the length of Session IDs, in most cases they will be 11 characters, but the algorithm that generates them uses random numbers for the first 6 digits, so it's possible that they will be shorter.

FoxWeb Support Team email

Sent by John Sullivan on 11/28/2006 11:42:37 AM:
The Foxweb documentation states "A new session id is assigned to the same user after each request, unless the session is committed, by associating at least one session variable with it. "

Does this mean I need to use at least one Session.SetVar to create a consistent session for a visitor to my web site? If I use the Session.GetSessionID() does this set a session ID for the visitor, which will remain consistent until the  session timeout is reached or until I execute Session.Abandon?

I tested the session ID and on one test it was 10 characters in length and another it was 11 character. Why would this happen and is this normal? What I did was to retrieve the session ID using GetSessionID and then saved it to a file using the VFP Strtofile function. I reviewed the session ID after each test to see exactly what was saved in the file.

Why would the session ID length vary? It did not vary while in the session. If it started as a 10 character unique string it remained 10 characters. But creating a new session later showed it as an 11 character string for the new session.

What I want to do is use the session ID to create a shopping cart method for saving information to use from page to page.

Thanks for your help. By the way, I love Foxweb!

John Sullivan