in reply to What if the bad-guys send nonsense as a session-id?

I don't see a real problem here.

When a session expires (in other words it is no longer on the list of active sessions) I re-direct the user to a log-in page to renew his log-in.

And if you employ something like Apache::AuthChecker too many failed log-ins from the same IP-address will automatically block that IP-address for a given time.

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

  • Comment on Re: What if the bad-guys send nonsense as a session-id?

In Section Seekers of Perl Wisdom