kiat has asked for the wisdom of the Perl Monks concerning the following question:

Hi all,

Is CGI::Session supposed to do what is typically done by cookies? It seems cookies don't work when firewalls are installed or in certain OSs

I once set a cookie (with use CGI qw(:standard)) with an expiry value of '+h'. While that worked in Windows 98 and XP (and I suspect most other OSs, it ran into problems in Windows 2000 Professional.) The cookie could not be set. I played with the values and changed it to '+3H', and that solved the problem. The cookie code is as follows: 

package Login;

use Subs;

my $cookie1 = do_cookie(
   -name    => 'cookie1',
   -value   => '123',
   -path    => '/',
   -expires => '+h'
);

my $cookie2 = do_cookie(
   -name    => 'cookie2',
   -value   => 'abc',
   -path    => '/',
   -expires => '+h'
);

main_page({ cookie => [$cookie1, $cookie2] });

1;

package Subs;

use CGI qw(:standard);

sub do_cookie {
   my %cookie = @_;
   return cookie(%cookie);
}

sub main_page {
   my $stuff = shift;
   print header(-cookie => $stuff->{'cookie'});
   # rest of code...
}

1;

[download]
Anyway, cookies come across as pretty unreliable to me (besides the fact that their values can be modified) so I'm wondering if using CGI::Session is a better solution to managing persistent sessions...

Any opionions? cheers,

Replies are listed 'Best First'.
Re: CGI session vs cookie
by matija (Priest) on Apr 13, 2004 at 05:55 UTC
    First, I doubt that '+h' is valid syntax for cookies. Which is probably the reason it stopped working. '+3h' on the other hand, is valid cookie syntax.

    As for CGI::Session, it can store it's session value in a cookie or in a hidden variable or in the URL. The later two should pass through most firewalls. At least I never heard of a firewall that would parse the URLs and extract just the session ID. ;-)

[reply]
Re: CGI session vs cookie
by eric256 (Parson) on Apr 13, 2004 at 16:00 UTC

    CGI::Session doesn't realy take the place of cookies but it suplements them. Since the data for a session is stored on your server you know it is more secure than a cookie. As you mentioned cookies can be changed. I normaly store some sort of session ID in the cookie and use that + the IP address (CGI::Session will handle that for you) to then retrieve the session data. In that way no real data is stored on a users machine and it would be harder to use the cookie to steal access to the account. I think cookies are pretty reliable but even if they are not CGI::Session provides means for including that Session id in forms or links as well.


    ___________
    Eric Hodges
[reply]

Back to Seekers of Perl Wisdom