docs.roxen.comView this page in a printer friendly mode
DocsRoxenWebServer 6.1Web Developer ManualProgramming Tags
Copyright  2020, Roxen Internet Software
Suggestions, comments & compliments

<?cdata ?>
<?noparse ?>
<?perl ?>
<?pike ?>


Provided by module: Tags: Session tag module

Forces a session id to be set in the variable &client.session;.

Depending on the settings of this module, there are two ways the session cookie is set:

  • Default

    If no RoxenUserID cookie exists, headers to set the cookie is generated. The client.session variable is set and usable immediately during the request from then on. If the client do not support cookies or has cookies turned off, each request the force-session-id tag is used, the session key will have a different value.

  • Deprecated

    If no RoxenUserID cookie exist, a redirect is made to the same page with a prestate containing a newly generated session key together with a Set-Cookie header with the same key as value. The prestate is used if the cookie cannot be set. If both the RoxenUserID cookie and the session prestate is set, it redirects back to the same page without any prestate. I.e. two redirects for client that supports cookies, and one redirect for clients that don't. Also note that the tag itself does not stop the RXML parser during these requests the redirects are made. This is why it is deprecated; the fallback only works as long as the prestate exists, secondly the search engines will have two urls containing the same content due to the redirects.

The RoxenUserID cookie can be set automatically by the HTTP protocol module. Look at the option to enable unique browser id cookies under the server ports tab.

<force-session-id/> <!-- RXML code that uses &client.session;, e.g. as follows: --> <session id='&client.session;'> ... </session>

Deprecated (when module is configured to use prestate):

<force-session-id/> <if variable='client.session'> <!-- client.session has a value when the RoxenUserID cookie exists or if cookie don't exist but the prestate that starts with "RoxenUserID=" does. --> <!-- RXML code that uses &client.session;, e.g. as follows: --> <session id='&client.session;'> ... </session> </if>

Example of how to do a separate test to verify if a client supports cookies, server side:

<nocache> <if variable="form.test-cookie = 1"> <if variable="cookie.testing_cookie = 1"> Cookies work </if> <else> Your browser do not support cookies. </else> </if> <else> <set-cookie name="testing_cookie" value="1"/> <redirect to="&page.path;?test-cookie=1"/> </else> </nocache>



If this attribute is present the session cookie will be set with the Secure attribute. The Secure flag instructs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back the session cookie. If the browser supports the secure flag, it will not send the session cookie when the request is going to an HTTP page.


If this attribute is present the session cookie will be set with the HttpOnly attribute. If the browser supports the HttpOnly flag, the session cookie will be secured from being accessed by a client side script.