Beware using the IP address as a unique token for a session. Any users that go through a proxy will appear to come from the same IP. AOL users for instance rotate through a handful of IP addresses for each request.

The other replies have hopefully pointed you in the right direction.

Also, if you decide to store the information in a file make sure you lock it when updating and reading. Otherwise it will get corrupted at some point.

Updated: I had a chance to look at how I had coded the login stuff on my pages here. The relevant bit is to use Apache::Session which gives me an ID that I then stuff into a cookie. The IDs generated are relatively secure, they use all sorts of good random info then run it through an MD5 hash so I think they are unguessable. Anyway, onto the code:

use Apache::Session::File;
use CGI::Cookie;

use constant TIMEOUT     => 60 * 60 * 2;  # 2 hours
use constant COOKIE_NAME => 'MY_COOKIE';
use constant BASE_URL    => '/';

# Get the ID from the cookie (if one was set)
my $raw_cookie = $r->header_in('Cookie') || "";
my %cookies = parse CGI::Cookie($cookie);
my $id = $cookies{COOKIE_NAME};

# Get the session object from disk
my %session;
tie %session, 'Apache::Session::File, $id, {
    Directory     => '/tmp/state',
    LockDirectory => '/tmp/state',
};

# Set the cookie back if it was new
if (not defined $id) {
    my $new_cookie =
        new CGI::Cookie(-name  => COOKIE_NAME,
                        -value => $session->{_session_id},
                -path  => BASE_URL,
                );
    $r->err_header_out('Set-Cookie' => $new_cookie);
}

# Now just read and write things to the session object
# and they will get saved.  You have to be careful about
# any references though.  See the docs for details.

# Check to make sure the session is valid
my $cur_time = time;
unless (defined $session{last_access} and
        $session{last_access} < time - TIMEOUT and
    defined $session{valid} and
    $session{valid} == 1)
{
   # Illegal access, bump to the login page
   # It must make the session valid by setting the 
   # last_access and valid fields.
}
$session{last_access} = $cur_time;

[download]

Please note that this code will probably need to be changed to fit your web environment. I was using $r since my code comes from mod_perl. If you are using straight CGI then there is a CGI.pm thing to set the cookie stuff in the response header. The above may or may not work since I cut and pasted relevant bits from my setup (I am using Mason) and actually have stuff split up across subroutines because my data store and autentication is a bit more twisty.

-ben

In reply to Re: Webpage Logins by knobunc
in thread Webpage Logins by arashi

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.