"be consistent" | |
PerlMonks |
Re: using session idsby fokat (Deacon) |
on Nov 22, 2005 at 05:14 UTC ( [id://510646]=note: print w/replies, xml ) | Need Help?? |
A session id should not be much more than a key used to get state information kept on the server side. Common ways to implement this are:
(I may have left some other way outside of this node). Keep in mind that it should be as hard as possible/practical to guess the value of another user's session id. In your case, this may lead to leaked user information or tampered carts. If you configure it properly with mod_usertrack, Apache will supply a good enough cookie to your users, which you may use for referencing the data you keep on the server side. This of course, requires users to accept your cookies. You'll find modules such as Apache::Session to be of help, although looking at your question, I wonder if following the CGI::Application path wouldn't be a better choice. As implied by my above statements, never use the session id to directly store the information you want to preserve. By its nature, the session id comes and goes from the client to the server and back. Not following this advice, may lead to compromised customer information (the session info you kept in the id) or even succesful attacks against your web application, as an attacker may forge the contents of the session id. Sorry if you already knew this or if I sound alarmist, but in my line of work, I find this mistake over and over again. Best regards -lem, but some call me fokat
In Section
Seekers of Perl Wisdom
|
|