Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Re^3: Concern with CGI::Session

by Joost (Canon)
on Jun 14, 2005 at 08:04 UTC ( [id://466421]=note: print w/replies, xml ) Need Help??


in reply to Re^2: Concern with CGI::Session
in thread Concern with CGI::Session

I find it's easier if you just pretend that the session is always there (just create a session when one is requested), and then when the user logs in put some token in the session indicating what user it is (like the user id or login name).

in the pages that require a valid user you only need to check whether the session contains a valid user id or redirect back to the login page (or give an error)

This also means that you can use the session for other user state, even when they're not logged in.

Replies are listed 'Best First'.
Re^4: Concern with CGI::Session
by Anonymous Monk on Jun 14, 2005 at 09:02 UTC
    I'm not sure if I presented my problem correctly.

    About the example from the CGI::Session::Tutorial doc. I listed above, it only checks to see if a Cookie name exists or not.

    That being said, anyone who can create a cookie with the same name can be verified and will be able to view a members area site.

    How can you use CGI::Session to actually check the session id from the cookie to match the one from the database? There is no where in the tutorial or in the cookbook that shows an example how. Ahhhhh I wish I was smart and could figure this stuff out easy.
      About the example from the CGI::Session::Tutorial doc. I listed above, it only checks to see if a Cookie name exists or not.
      And it will fail if the cookie's value is not a valid current session id. Which is good enough. I like
      my $session = CGI::Session->(undef, $cgi, {Directory=>'/tmp'})
      better though, since I then don't have to remember what the cookie's name is, and it also handles session ids via param().
      That being said, anyone who can create a cookie with the same name can be verified and will be able to view a members area site.
      Update: anyone who can create a cookie with the right name and the same VALUE (session id) can do that. These session ids are generated "randomly" and are not easy to guess at all.

      Just make sure the sessions time out after some period of inactivity. You can also store the user-agent info in the session and check that for each request (pretty reliable, but not that secure) and/or store the client's IP adress in the session and check it (which will fail for some ISPs, since they rotate IP adresses) but that's about it. If you're really worried about this, you should also worry about people snooping the username/password from the login request. Use SSL and hard to guess session ids (default in CGI::Session).

      How can you use CGI::Session to actually check the session id from the cookie to match the one from the database? There is no where in the tutorial or in the cookbook that shows an example how. Ahhhhh I wish I was smart and could figure this stuff out easy.
      That's what the new CGI::Session line does. It checks if there is a session with the given id and returns that. if the id is undefined, it gives you a new session. Any data stored in the session object will be stored somewhere for later retrieval. That's all there is to it.

      update: you also seem to have missed the fact that $cgi->cookie($name) returns just the cookies value, not a CGI::Cookie object. See the CGI docs

Re^4: Concern with CGI::Session
by rjsaulakh (Beadle) on Jun 14, 2005 at 09:20 UTC

    i too am facing the same problem . i am able to set the cookie with session id in it and i am trying to fetch the cookie using

    %cookie = fetch CGI::Cookie;
    but there is not output , i tried a no of way without any success
    myu purpose is solved if i can successfully fetch the cookie
    after which i can take session id and do something with it

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://466421]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others romping around the Monastery: (6)
As of 2024-03-29 01:17 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found