Re: Sessions with perl cgi

jdtoronto's advice is good: CGI::Session. Be sure to look at http://search.cpan.org/~sherzodr/CGI-Session-3.95/Session.pm for a description of that module and what it can do for you.

Here is an excerpt from its POD:

CGI-Session is a Perl5 library that provides an easy, reliable and modular session management system across HTTP requests. Persistency is a key feature for such applications as shopping carts, login/authentication routines, and application that need to carry data accross HTTP requests. CGI::Session does that and many more.

I wanted to also point out a pretty good discussion on this subject (one of many that I found with the search button): Secure Session ID values. One thing I learned in that thread is that there are "session hijackers" out there looking to figure out the algorithm that creates a session ID so that they can hijack a session in progress and hopefully get things like credit card information. For that reason, it's a good idea to not use an algorithm that produces a session ID by following a predictable pattern. This is probably why MD5 hashing is such a popular component of secure session ID's.

Dave

"If I had my life to do over again, I'd be a plumber." -- Albert Einstein

Comment on Re: Sessions with perl cgi

Replies are listed 'Best First'.
Re: Re: Sessions with perl cgi by Willard B. Trophy (Hermit) on Oct 16, 2003 at 15:47 UTC
To further explain why one should never, ever use anything guessable for session ids: A company of my acquaintance had a gallery system. People could upload pictures which, once approved, would appear in the gallery. The pictures that had not yet been approved were stored under the session name in a temporary (but publically-readable) directory. The session key was based on the current time and a simple incrementing counter. An enterprising porn operator noticed the system, and very quickly worked out how to access the public URLs of uploaded files. In a short period of time the company was inadvertantly hosting more than 3GB of, um, interesting pictures. This case is a combination of a few minor things not to do, but the total effect was potentially very damaging. -- bowling trophy thieves, die!	[reply]

Replies are listed 'Best First'.

Re: Re: Sessions with perl cgi
by Willard B. Trophy (Hermit) on Oct 16, 2003 at 15:47 UTC

ever

A company of my acquaintance had a gallery system. People could upload pictures which, once approved, would appear in the gallery. The pictures that had not yet been approved were stored under the session name in a temporary (but publically-readable) directory. The session key was based on the current time and a simple incrementing counter.

An enterprising porn operator noticed the system, and very quickly worked out how to access the public URLs of uploaded files. In a short period of time the company was inadvertantly hosting more than 3GB of, um, interesting pictures.

This case is a combination of a few minor things not to do, but the total effect was potentially very damaging.

--
bowling trophy thieves, die!

[reply]