in reply to Re: Re: How should I handle Orphan Sessions?
in thread How should I handle Orphan Sessions?

1. You can force a new valid login to log-out any previous or current logins of the same user account.

<That might work, but if I were the user, I do not want to be booted out from my session by someone who accidentally or not, just got my login information>

2. You can track the IP address (or some other machine identifier)

<This wouldn't work since the primary users of my website are students that might access the webpage from different internet cafes>

3. There are always cookies. I personally do not like cookies for session management, I think they are clunky myself.

<I haven't tried this approach. If I grab a cookie through $ENV{HTTP_COOKIE}, if the client closes his browser, would this variable be empty?>

As of the moment, I am setting my sessions to expire after an hour. I could probably try setting them to expire after X number of minutes that it is idle.

Thanks for the suggestions!
Jay Soon
  • Comment on Re: Re: Re: How should I handle Orphan Sessions?

Replies are listed 'Best First'.
Re: Re: Re: Re: How should I handle Orphan Sessions?
by sauoq (Abbot) on Dec 20, 2003 at 07:17 UTC
    Thanks for the suggestions!

    Please note that those were not my suggestions. I was replying to stvn and quoting his suggestions whereas you are replying to me.

    Just the same, now that I reread his first bullet, it is essentially the same as my inital suggestion minus an idle time check.

    As I mentioned in my reply to pg in this thread, you really must rely on the authentication credentials you get. Your concern about booting someone off just because someone else got his login information is a bit misguided. That's exactly why someone has login credentials in the first place. If two people have the same login, there is no way for you to tell which one is authentic. Don't bother second guessing it.

    -sauoq
"My two cents aren't worth a dime.";
[reply]

In Section Seekers of Perl Wisdom