Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I tried doing a search here for session ID information and I was either searching the wrong string or there isn't anything here.

I have a page that has paypal add to cart buttons and I need a way to force them to add a SHIPPING cost to it, too. There's no way to do what I want with just these buttons so I need to setup a small cart that holds all data on my server until it's finally calculated and one paypal button is created.

I have an HTML page that is using .shtml pages already for header and footer files so I figure I can add the perl script for the sessions to the header of all of my pages?

It will be a very simple cart, it won't do anything but hold product quantity, price and description. I just need information on session ids, what modules to use, if I can do it with all of my pages with .shtml and any other information you have on it. Perhaps a good intro tutorial that has examples?

Thanks for all your help!

Replies are listed 'Best First'.
Re: using session ids
by fokat (Deacon) on Nov 22, 2005 at 05:14 UTC

    A session id should not be much more than a key used to get state information kept on the server side. Common ways to implement this are:

    Pretty standard, supported by most (current?) browsers although disliked by some users. Tend to remain in the computer, so this may be an issue with users in public access terminals.
    Hidden (or not so) variables
    Usually complicate your design and may get in the way. A variant, using visible variables with the GET method can be problematic if the user bookmarks the page (the variable will stay with the link forever).
    Mangled URIs
    Similar to exposed GET HTTP variables, this technique consists in mangling the URI to keep there the session id.

    (I may have left some other way outside of this node). Keep in mind that it should be as hard as possible/practical to guess the value of another user's session id. In your case, this may lead to leaked user information or tampered carts.

    If you configure it properly with mod_usertrack, Apache will supply a good enough cookie to your users, which you may use for referencing the data you keep on the server side. This of course, requires users to accept your cookies.

    You'll find modules such as Apache::Session to be of help, although looking at your question, I wonder if following the CGI::Application path wouldn't be a better choice.

    As implied by my above statements, never use the session id to directly store the information you want to preserve. By its nature, the session id comes and goes from the client to the server and back. Not following this advice, may lead to compromised customer information (the session info you kept in the id) or even succesful attacks against your web application, as an attacker may forge the contents of the session id. Sorry if you already knew this or if I sound alarmist, but in my line of work, I find this mistake over and over again.

    Best regards

    -lem, but some call me fokat