Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks,

When speaking of of a user session management, a lot of people referred me to CGI::Session.

I started learning it the other day and now just confused as hell on what I'm supposed to do with this situation I'm in. I'm not sure if its just me or CGI::Session is not intended for sites that require authentication of their users.

From the CGI::Session::Tutorial doc: 
   $sid = $cgi->cookie("CGISESSID") || undef;
   $session    = new CGI::Session(undef, $sid, {Directory=>'/tmp'});

[download]
The above syntax will first try to initialize an existing session data, if it fails ( if the session doesn't exist ) creates a new session: just what we want. But what if the user doesn't support cookies? In that case we would need to append the session id to all the urls as a query string, and look for them in addition to cookie:

Notice how it says if it fails to initialize an existing session data from $sid, then it creates a new session. What if we don't want it to create a new session automatically? Doesn't that defeat the whole purpose of a "members" area page that requires you to initialize a valid session?

thanks

Replies are listed 'Best First'.
Re: Concern with CGI::Session
by davidj (Priest) on Jun 14, 2005 at 06:41 UTC
    Sessions and user authentication are two totally separate things. One does not require the other. Sessions are useful for sites that require user authentication because it enables the authenticated user data to persist across pages, but they are not required to implement authentication.

    I have no idea how the logic of your site is implemented, but the following logic flow might help:

    1) have a link on your main page to a login screen
    2) on the login screen, have the user enter his/her user information.
    3) use a back-end cgi script to authenticate the user ( probably against a database? )
    4) once that cgi script has authenticated the user, then create your session
    5) use the existence of the session and its data to allow the user into the members area

    not knowing what you really want, I hope this helps
    davidj

[reply]
      Hey,

      Thanks for the reply :) -- The logic you described was basically right on the dot with how I am implementing this.

      I have the the back-end cgi script to authenticate the user using data in a mysql db. Then once its successful, then it creates a new session with CGI::Session.

      What I'm confused about is how to initialize the existence of a session from a user that is trying to view a members area section.

      I'm following the coding from the CGI::Session::turtorial doc and its defeating the whole purpose of authentication.
[reply]
        I find it's easier if you just pretend that the session is always there (just create a session when one is requested), and then when the user logs in put some token in the session indicating what user it is (like the user id or login name).

        in the pages that require a valid user you only need to check whether the session contains a valid user id or redirect back to the login page (or give an error)

        This also means that you can use the session for other user state, even when they're not logged in.

        "What should it profit a man, if he should win a flame war, yet lose his cool?"
[reply]
Re: Concern with CGI::Session
by cees (Curate) on Jun 14, 2005 at 11:37 UTC

    If you want to authenticate users and you want to use CGI::Session, can I suggest you have a look at CGI::Session::Auth. It will do all the work for you, and it will give you an idea of how authentication with a session works.

    The basic idea is that every user gets a session regardless of whether they are logged in or not. Once a user successfully logs in, a parameter is set in the session that states that this user has already logged in. So the next time that user comes back, you check in their session to see if they have logged in. If this special variable is not set, then you know they haven't logged in and you redirect them to a login form.

[reply]
      i have some queries
      i have set session id and domain name in the cookies which are sent to the user browser 
      $cookie =$cgi->cookie(
                      -CGISESSID => $session->id,
                      -expires => '+1h',
                      -domain => 'B2R6A056a'
                      };
print $cgi->header(-cookie=>$cookie);

      [download]
      now when the user clicks a tab and goes to another page i want to fetch the cookie from the usersession and then intially trying to print all the values got from the cookie 
      my %cookie = fetch CGI::Cookie;
foreach $keys ( sort keys %cookie)
{
        print "$keys : $cookies{$_}";
}

      [download]
      but i am not able to fetch the cookie
      is there some problem in the line of my thinking
      or is there something more i have to take care of
      please advice
[reply]
[d/l]
[select]

        The -domain part of a cookie should be the domain name of the server(s) that you want to receive the cookie (1). 'B2R6A056a' does not look like a valid domain name to me, and that is probably causing your problem.

        My suggestion would be to simplify things by removing the -expires and -domain part of the cookie, and seeing if that works. If it does work, then add one of the options back in ans see if things still work. Simplifying things and taking it one step at a time is a very successful debugging tool that is useful when you are not sure what is causing your problems.

        If that doesn't work, then you need to start looking carefully at the actual headers being sent along with the request (that includes client headers and server headers). Mozilla can be helpful with this, since it has plugins to debug client and server HTTP headers. Look for the Set-Cookie: header in the server headers, and Cookie: header in the client headers.

        (1) http://wp.netscape.com/newsref/std/cookie_spec.html

[reply]

Back to Seekers of Perl Wisdom