Re: session file umask

I usually use a cookie path of just '/'. This makes the cookie visible to the entire site. If you have some need to restrict cookie usage to just a particular path, you can try '/' temporarily, just to debug.

Note that sessions can be stored in files or databases, etc. There's a lot of variation available in the configuration. If you are storing the sessions in files, then permission issues can cause problems. The web server usually runs as something like 'nobody', so that user must be able to write the files, have permission to the directory being written to, etc. Lots of people put session files somewhere like /tmp/sessions, but on in a shared host environment, every other site on the same host can potentially see your session data (or accidentally clobber it).

I like using the database method better, but it can be expensive in terms of DB queries (every page view results in multiple hits: a read to check the current login/logout status, then a write to update the time until expiration, etc.). In production usage you want to go with the 'Storable' data store, but for debugging use the default (DataDumper) because the contents of the session object will just be simple ASCII text.

Another 'gotcha' I've encountered occurrs when you try to redirect to a secure page (https) for login, then redirect back to http afterwards. If the https domain is different, then the cookie is written on that domain, and thus not visible elsewhere.

Here's an example:

If your home page is here:

http://www.example.com/home

and you have a login link that takes you here:

https://www.secure.com/login

and then you redirect back to the home page after login (and let's assume you have different content for logged-in versus logged out users, and you depend on the session to determine which is which).

So you can have a successful login, but the cookie containing the session id which points to this state is only visible on the .secure.com domain, not the .example.com domain. So you still get the logged-out version of the home page.

The easy fix is to either do whatever necessary to have a secure url in the same domain:

https://www.example.com

Or else, make your login link point a script that does the following: create/fetch current session id and store it in a cookie. Then redirect to the login page (script you previously pointed login link to) with the session id attached as a url parameter (or, better, don't use a link, make it like a form, and send the id as a hidden parameter). This way the secure host can retrieve/modify the session data without using the cookie. Or, you can create another cookie, on the secure host, containing the same session id, but you need some way of passing that id from one host to the other, else it won't see it (and since you're using CAP:Session, it will actually create a new session automatically, which isn't what you want).

Comment on Re: session file umask

Replies are listed 'Best First'.
Re^2: session file umask by ksublondie (Friar) on Jan 13, 2009 at 17:11 UTC
I tried the '/' path, and I'm getting the same results. This web app is for an internal intranet site, so I didn't bother with securing the login page or any subsequent pages. ...I'm not changing the domain, either. I'd thought about the DB, but eliminated that idea for the very reasons you mentioned...plus for an internal site, the added security wasn't important enough for the overhead. Not to mention, I didn't want to go through the extra effort of setting up and learning postgresql on this server ;)	[reply]
Re^3: session file umask by scorpio17 (Canon) on Jan 13, 2009 at 20:45 UTC
If a simple (working) demo would be useful, some time back I wrote a tutorial showing how to create a basic login page: A Beginners Guide to CGI::Application If you want file-based sessions, change this part of Login.pm: `CGI_SESSION_OPTIONS => [ "driver:mysql;serializer:Storable;id:md5", $self->query, {Handle => $self->dbh}, ],` [download] To this: `CGI_SESSION_OPTIONS => [ "driver:File", $self->query, {Directory => "/tmp/sessions"}, ],` [download] Then, assuming your web server runs as 'nobody', do this: `mkdir /tmp/sessions chown nobody:nobody /tmp/sessions cmod 755 /tmp/sessions` [download] One final gotcha - make sure you've got all the same versions of all your modules being used on both servers. I try to install on my modules locally, then I can just tar up the modules directory and copy it to a new server, and be sure that I'm running the exact same (noncore) stuff everywhere.	[reply] [d/l] [select]
Re^4: session file umask by ksublondie (Friar) on Jan 13, 2009 at 21:31 UTC
I guess I should have posted my code from the start. Please forgive me of my transgression. `sub cgiapp_init { my $self = shift; $self->error_mode('error_runmode'); $CGI::Session::IP_MATCH = 1; $self->session_config( CGI_SESSION_OPTIONS => [ "driver:File", $self->que +ry, { Directory => $CONFIG{sessiondir} } ], COOKIE_PARAMS => { -name => 'FNBINTRANET', -path => '/', -secure => 1, -httponly => 1, }, SEND_COOKIE => 1, ); }` [download] I've checked all the relevant modules and the only difference was that the working original server was using older modules and the new server was using the latest & greatest on everything. I've updated the original server modules and nothing broke, but the new server is still not working... The original server IS using db for the sessions. I copied the exact same code over, installed the necessary modules, setup my session dir, and modified the code above to use files instead of db...was there a step I forgot?	[reply] [d/l]
Re^4: session file umask by ksublondie (Friar) on Jan 14, 2009 at 18:54 UTC
GOT IT! I commented out the COOKIE_PARAMS & SEND_COOKIE lines and now it works! I have no idea why, but at this point, I don't care cause it works... Thanks guys for the help!	[reply]