The first way is to drop a cookie, and this method won't allow you to do what you ask. For a given domain+browser a cookie is 'shared' so all of your tabs in Firefox will be getting the same login/logout status. This is often what's wanted anyway, but not in your example.

The other method is to preserve the session ID by passing it from page to page as a parameter in the URL. So, your login creates a session ID, and then your scripts need to ensure that each page keeps passing it on via the URL. This would enable you to do what you want. There's info in the CGI::Session tutorial about this.

Note that this second method has the disadvantage of always 'forgetting' each user entirely after logout, whereas using a cookie means a user's session ID can be made available to be re-used on their next login.

I have to advise against passing session informations in URLs because it can easily be a gaping security hole.

If some user sees an intersting page and publishes the URL somewhere (chat, bulletin board or whatever) all others are authenticated as the original user.

---

Perl 6 in German -- Difficult Sudoku

You're right, but it does resolve the original request, which the much better cookie method doesn't.

You could improve the security of a URL-based session id by:

use CGI::Session ( '-ip_match' );
[download]

which will only allow the session if it's coming from the same IP number (downside: if your ISP changes your IP address mid-session, you'll be logged out).

Also you can improve things a little by timing out the session relatively quickly.

It's worth noting that the same security hole exists using cookies, in that somebody with a copy of your cookie could get access as you. It's just that it's a little harder for you to publish your cookie inadvertently.

oxone | www.datasalon.com

Usually session information is stored in cookies, which are shared among all browser windows/tabs.

So if you log in in one tab, and then refresh the other windows you should be logged in in all tabs. And if you close one of them, that doesn't affect the other windows.

And if you log out explictly in one tab, you delete the session information on the server, so the next time you refresh the page in any browser tab you are looged it.

That's the default behaviour, and everything else is rather hard and clumsy to implement.

And never forget that the current logged in / logged out status is only visible after you refresh the page.

Couple of corrections:

A logout doesn't delete the session info from the server unless the developer chooses to do so. It's more common to retain it so that the user can be greeted etc. on return

Getting the session ID from the cookie is one of two default behaviours. The other is to look for a CGISESSID among the URL parameters. The latter method has disadvantages but would solve this requirement in that each 'tab' could then have its own session and login status.

oxone | www.datasalon.com

Thnks For The Inputs!

Can Anybody Show Me A Way Out.??
--

Thnks

Cherry

Cookies are stored on a per host basis, so depending on how smart your browser is, you may be able to log into http://127.0.0.1 as one user and http://localhost. You should be able to have one session for each different name that points at your server. (you'll need to make sure your webserver maps these additional names to the correct vhost too)

Wether your CGI scripts generate urls in a way that will function correctly under this situation is another question.

I generally have 2 or 3 aliases to my hosts as part of the way the network is set up... one by name (nick), one by service (web, cvs etc), one for the literal IP (server22 for 192.168.5.22 when servers only live on 192.168.5)

@_=qw; ask f00li5h to appear and remain for a moment of pretend better than a lifetime;;s;;@_[map hex,split'',B204316D8C2A4516DE];;y/05/os/&print;

I must say that I am storing the session files in /tmp/sessions

eg., $session = new CGI::Session(undef ,undef, {Directory=>'/tmp/sessions/'});
--
Thnks

Cherry