Thanks this solved one problem, but revealed another.
I am finding that somehow the cokkie value for the second cookie is the name of the variable that held it rather than the actual value. In my login script, I have the following to make the cookie:
($sessid,$tokcookie) = setup_session($userID, $userType);
my $cookie = $cgi->cookie(-name => 'CGISESSID', -value => $sessid, -
+expires => "+30m");
print $cgi->redirect(
-location => $base_url,
-cookie => [$cookie,$tokcookie]
);
setup_session is a function defined at the end of the login script, storing in the session table things like user ID, user type, and other values not relevant to this question. $cookie gets the proper name and value. However, $tokcookie does not. Within setup_session, there is the following call my ($session,$tok_cookie) = DBUtility::get_session($cgi,$uid);
And there are the relevant parts of that function: $rv = CGI::Session->new('driver:mysql',$query,{ DataSource => "db
+i:mysql:database=profitorius;host=$hostname",
User
+=> 'xxxxxxxxxxx',
Password
+=> 'yyyyyyyy' });
my $hash = $pbkdf2->generate($enc_csrfp_str);
$rv->param('enccsrfp',$hash);
$cookie = $query->cookie(-name=>'H_VAL',
-value=>$hash,
-httponly => 1,
-expires => "+30m",
-secure => 1);
return ($rv,$cookie);
$rv is the session, with the data retrieved from the DB. $enc_csrfp_str is a complex string, which includes a GUID (in string form, so only ASCII characters) and the user's ID. The variable $hash gets the encrypted value of $enc_csrfp_str, and you can see how I make a cookie out of it. Of course, this happens if the session is NEW. If the session is not new, then the hash cookie is retrieved using "$cookie = $query->cookie('H_VAL');" And we return the session object and the hash cookie. The mystery is why that cookie lozes it's name and gets a value of '$hash' rather than being made with the name H_VAL and the proper encrypted value originally put in $hash.
|