http://qs1969.pair.com?node_id=1114957

mwhiting has asked for the wisdom of the Perl Monks concerning the following question:

Hi - I have a script that runs on both windows and linux servers. On windows, I use perl2exe to compile it, though I don't think that is the source of the problem here.

The script uses CGI::Session for Session id's for the purposes of keeping a password from one session to the next. With a Linux/unix server, if you are logged in successfully, and later copy and paste the url from your browser (which contains a parameter with the Session id) into an email and send it to another computer, the second computer doesn't recognize the session id as valid for itself and re-prompts for password (as it should do).

It would be an url similar to this:
myserver.com/script.exe?dbNum=1&action=3&CGISESSID=e91b1bfb03f67854f9675b40f6a705ac

But on a windows server the same action doesn't result in getting prompted for a password. The server will recognize the sessionID and just continue on as normal, even though noone has ever entered a password on this second pc before.

Any insights as to why this would be?

Replies are listed 'Best First'.
Re: SessionID on a windows server
by ikegami (Patriarch) on Jan 29, 2015 at 19:09 UTC
    If you're doing your client binding using use CGI::Session '-ip_match';, it uses $ENV{REMOTE_ADDR} to distinguish the clients. Check to see if that varies by client. It should be the client's IP address.

      I have not been using -ipmatch with my Session object, I just read up on it and realized I should be.

      However, will the functionality of -ipmatch still be limited in the case of transferring a link from one pc to another, where both are behind a router that masks their individual ip's and just shows a common one for the location? (like the way your home computer network ip's are not shown to the outside world, just one ip for your router.)

Re: SessionID on a windows server (secure cookies)
by Anonymous Monk on Jan 30, 2015 at 00:29 UTC

      After looking up secure cookies, it would appear you have to be on a secure server to use them (and use https for calls). I wouldn't be guaranteed that I could use a secure server on the various customer sites.

      Also, I think we wouldn't want to have to move the script and associated files from the regular server to the secure one. (maybe that's not a problem, maybe you can use https from the same folder on the server as before, I'm not certain on that.)

        After looking up secure cookies, it would appear you have to be on a secure server to use them (and use https for calls).

        secure server? https? No, thats not secure cookies -- sure it enhances "secure cookies" but not a requirement

Re: SessionID on a windows server
by mwhiting (Beadle) on Jan 30, 2015 at 15:34 UTC

    OK - those are great suggestions. I have some other questions about each of them, I'm investigating some now.

    But I was really wondering why does the Windows server allow that cross computer usage of the same session id, but the linux server does not? Any ideas? Is it something fundamental about the Win server or a quirk of Linux?

      But I was really wondering why does the Windows server allow that cross computer usage of the same session id, but the linux server does not? Any ideas? Is it something fundamental about the Win server or a quirk of Linux?

      Neither -- the problem is your program, not the webserver

Re: SessionID on a windows server
by mwhiting (Beadle) on Feb 18, 2015 at 19:59 UTC
    Well, I tried implementing the -ip_match with my CGI::Session, and I don't get any different results, when accessing the same script from computers with different IP's. I added this code:
    use CGI::Session qw/-ip-match/;
    instead of my usual use cgi::Session; line.

    I also tried adding

    $session::IP_MATCH = 1;
    to the mix, after the creation of the session object, and still I see no difference in the results on browsers with different ip's. I can email the copy & pasted URL, with session id in it (yes, I'm still doing that while I try this out) and the different computers still access the session info just fine and load the page up.

    What am I missing here in the use of -ip_match ?

Re: SessionID on a windows server
by sundialsvc4 (Abbot) on Jan 30, 2015 at 14:42 UTC

    I am not specifically familiar with this module, but logically the first place to begin would be to have a look at the session-store that it uses ... be it a file or a database or whatever it is.   You ought to be able to see the list of tokens, perhaps the IP-addresses with which they are associated, and so on.   And in any case, the software should be checking IPs, session timeout dates, and so forth to be certain that forged or stolen credentials are not being used.   Start by looking at the authoritative session-data source that it’s referring to.   Be sure, for example, that the IP address that it’s seeing does not belong, say, to an internal router or somesuch.