in reply to Secure State Maintenance

My take on the best method of security is context. I reckon one of the better methods is similar to what you suggest.

  • Issue the user with a non-determinate token (sess_id) in a cookie, with a timeout value (5mins, 15 mins etc)
  • Stick the sess_id in a database along with the user that owns it.
  • For each pageview, get the cookie value, and check it against your database.
  • If the cookie expires but the session is still active, set another cookie, with a different value and extend the session.
  • Make sure you include a logout function which will purge the record from the database.

    IMO there is no need to use crypto, save for md5, or sha1, which you could use to generate the sess_id, (seeded by the pid, time, rand and username perhaps). If you're going to have a high transaction site, you may as well use md5 (or sha1) because, its easy, and the chance of a collision is amazingly small.

    There are of course prebuilt things out there, however, I chose to write my own because it was fun and taught me a lot.

    For added security, add a dash of https, and run your sessions over it.

    Check out this node for a thread on sessions management without cookies, and here for a bit of light reading on secure session management.

    • In Section Seekers of Perl Wisdom