Bug #4301
opensessionid in the URL creates end-user difficulty
0%
Description
Using a plain URL, one cannot access datasets that require authentication. Alternatively, a link of the form http://knb.ecoinformatics.org/knb/metacat?action=read&qformat=knb&docid=judithk.594 will function properly when authenticated, although this form is not actually presented in metacat. However, attempting to view the metadata for any of the included data tables will insert a &sessionid= with no value, which causes an error as I think this overrides the (correctly authenticated) value that would otherwise have been passed.
Perversely enough, at the top of any data package is a printed URL of the form http://knb.ecoinformatics.org/knb/metacat/judithk.594.26/knb, even though the actual link is http://knb.ecoinformatics.org/knb/metacat?action=read&qformat=knb&sessionid=________________________________&docid=judithk.594.26 with the actual sessionid embedded in the URL. I think it would be safer and more robust if that sessionid were not explicitly inserted anywhere. From what I recall and have been told, everything should function as intended by simply removing the sessionid from the various URLs.
Updated by Oliver Soong over 14 years ago
Oh, this is a small but frustrating UI enhancement thing that doesn't involve any of metacat's underlying functionality, so I'm lowering the priority.
Updated by Matt Jones over 14 years ago
Plus, the new RESTful URL style was created specifically to eliminate the problems with search engines ignorig the query string in metacat URLs. So the 'ld' url format should be deprecated once we finish making access control work on the new RESTful URL format.