Re: CGI::Session --help

There are two common ways to give CGI::Session a persistent session ID from the user's browser in order to track login status etc.

The first way is to drop a cookie, and this method won't allow you to do what you ask. For a given domain+browser a cookie is 'shared' so all of your tabs in Firefox will be getting the same login/logout status. This is often what's wanted anyway, but not in your example.

The other method is to preserve the session ID by passing it from page to page as a parameter in the URL. So, your login creates a session ID, and then your scripts need to ensure that each page keeps passing it on via the URL. This would enable you to do what you want. There's info in the CGI::Session tutorial about this.

Note that this second method has the disadvantage of always 'forgetting' each user entirely after logout, whereas using a cookie means a user's session ID can be made available to be re-used on their next login.

oxone | www.datasalon.com

Comment on Re: CGI::Session --help

Replies are listed 'Best First'.
Re^2: CGI::Session --help by moritz (Cardinal) on Aug 28, 2007 at 11:34 UTC
I have to advise against passing session informations in URLs because it can easily be a gaping security hole. If some user sees an intersting page and publishes the URL somewhere (chat, bulletin board or whatever) all others are authenticated as the original user. Perl 6 in German -- Difficult Sudoku	[reply]
Re^3: CGI::Session --help by oxone (Friar) on Aug 28, 2007 at 12:06 UTC
You're right, but it does resolve the original request, which the much better cookie method doesn't. You could improve the security of a URL-based session id by: `use CGI::Session ( '-ip_match' );` [download] which will only allow the session if it's coming from the same IP number (downside: if your ISP changes your IP address mid-session, you'll be logged out). Also you can improve things a little by timing out the session relatively quickly. It's worth noting that the same security hole exists using cookies, in that somebody with a copy of your cookie could get access as you. It's just that it's a little harder for you to publish your cookie inadvertently. oxone \| www.datasalon.com	[reply] [d/l]
Re^4: CGI::Session --help by moritz (Cardinal) on Aug 28, 2007 at 12:16 UTC
You're absolutely right. Somehow the original question sounds like a XY Problem because it's not the usually desired behaviour.	[reply]
Re^5: CGI::Session --help by Anonymous Monk on Aug 29, 2007 at 04:13 UTC