6.1 :: Session Handling

Sessions

One question that we get asked a lot is how to use a sites existing session handling with a WAPL mobile version of the site.

Since WAPL allows you to use exactly the same business logic for both the web and mobile versions of your site, your existing application can carry on handling sessions as normal.

Don't Rely on Cookies

Although your session logic can work exactly the same on a mobile version of your site, we don't recommend relying totally on cookies for session handling.

Cookies are not supported by all handsets, and so some devices may not be able to access all features of your site if you rely 100% on cookies.

Recommended Method

We recommend using a GET variable to store the session id. For example, if a user logs in, they may be redirected to http://example.com?s=1234, where 1234 is their current session id.

On all subsequent links in the site, you would need to append ?s=1234 to the url, thus maintaining persistence across requests. To log a user out, simply redirect them to http://example.com, omitting the session id.

Handling sessions in this way will ensure that all devices will be able to access sections of your site that require authentication or other forms of persistence.

Security

If you are worried about security using this method, we recommend passing two variables on the url. One is the normal s=1234, the second is a value obtained by taking a hash of the session id appended to a secret salt, e.g. http://example.com?s=1234&h=fr5ThY.

You can then check on each request that the h variable corresponds to the given s variable. This will prevent attacks to gain access by appending random session id's. In order to gain access, an attacker would also need to know the secret salt, and the hashing algorithm used.