in reply to question on program flow and checking for cgi-session
Depends on your code :-) But in general I think that most session mechanisms give a session to everybody that visits some "dynamic page" (i.e. a CGI script or Apache handler). Mainly because it's easier that way:
Instead of having to check for as session id and a valid username and password combination, and maybe even more request params just to initialize the session object. Besides, sessions can be handy even if a user is not logged in.# somewhere at the start of some handler of CGI script... my $session = CGI::Session->new("driver:File", $query, {Directory=>'/ +tmp'}); if (my $user = $session->param('user')) { # user is already logged in... } elsif (my $user = get_user($query->param('user'),$query->param('passwo +rd'))) { # store newly logged in user in session $session->param('user',$user); } # somewhere else print $session->header( -some => 'value' ); # instead of $query->header.
A session id identifies a sepecific session - that is, every visitor gets a unique session, in which the programmer can store data about that visitor.
The session itself is NOT stored in the visitor's browser but on the server (i.e. in a database or file), only the session id is passed to the user.
Good session modules make it hard to guess a session id by generating one from some semi-random function.
|
|---|