Some ways to pass a session ID around:

• Cookie
• PATH_INFO - http://my.host.com/myscript.cgi/1234567890/function
• URI Parameter - http://my.host.com/myscript.cgi?sessionid=1234567890
• Hidden fields in forms

The framework I use for web apps attempts to set a cookie. If that fails, it builds its URIs to include the session id. It can then pull the session ID out of $ENV{PATH_INFO}.

---
print map { my ($m)=1<<hex($_)&11?' ':'';
$m.=substr('AHJPacehklnorstu',hex($_),1) }
split //,'2fde0abe76c36c914586c';
[download]

I would add to this using Perl Trans Handlers in apache :-
• URI Path - http://my.host.com/1234567890/myscript.cgi
can then set a $ENV{sessionid}=1234567890 whilst doing some simple security.

Just my thoughts
UnderMine

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Update: Forgot to add that you can store information on the server that is associated with a session, so cookies aren't needed.

I've done essentially that in the past, using Digest::MD5, which did the job fine.

HTH,
--roundboy

If you pass a session id around all you need to do is store all the data on the server and then no one can 'pick off parameters to use them'. Alternatively I will often pass hidden params plus a nMD5 hash around. If you have X params you want fixed make an MD5 hash (plus a secret string) and pass that around to.

An MD5 hash is very predictable if you hash just the values you store in hidden fields as MD5( 'this data' . 'that data' ) == MD5( 'this data' . 'that data' ) so your hash should be MD5( 'this data' . 'that data' . 'my secret string so no one can hash my hidden params and compute the hash using an educated guess/minimal brute force' ).

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Try this tutorial, really simple to follow, and works a charm!

http://www.easysoft.com/tech/php/tut_001/main.phtml

It is written in PHP, however, it is quiet straight forward to convert into Perl.

I had the same problem with a game I made. The game is located at:

http://www.queenfans.com/games/ogre_battle/wizard.cgi

I started off using hidden fields in the forms - but people started putting their own values in, and ended up with 1,000,000 gold pieces, loads of strength, etc. *Gives PodMaster a dirty look*

I thought about using cookies to store the data, but like you say, not everyone accepts cookies. So the solution I came up with was to save all the data into a file, and just have the session id in a hidden field, with the session id corresponding to the file. As the data is all in the file where it can't be got at, the values can't be changed. I also added a routine to delete files over 1 month old, so as not to end up with a huge amount of saved data.

Would this approach be any good for you?