Many sites use unique cookies to track users. There are two use cases for them: first, we may want to know how the users access our site "clickstream", second, we could have a web application that uses the cookies as a key into an internal session table.
Note
Never use cookies as a single session key
If we use cookies as session keys, we should always add a check for the client IP address before permitting session access. Otherwise, our site could allow session-stealing attacks, even if the cookies are hard to guess.
The idiom is so common that Lighttpd has grown a module to do it.The mod_usertrack
module does nothing but set a cookie so that we can track the users through multiple connections. A sample mod_usertrack
configuration snippet is here:
server.modules += ("mod_usertrack") usertrack.cookie-domain = "ourdomain.com" usertrack.cookie-max-age = 3600 # make the cookie last an hour usertrack.cookie-name = "ourid"
This sets the cookie-domain to our domain, makes the cookies...