pileofrogs has asked for the wisdom of the Perl Monks concerning the following question:

Greetings Monks

I'm writing a CGI and I want to have authenticated sessions. I can to authentication fine, but I've never done sessions before. I've always written CGI that accept credentials and commands in one go, so I never had to do any kind of sessions before.

Yes, this will be SSL encrypted.

Cookies seem to be involved, but I don't know a thing about what they should look like, how they should act, etc...

I'm thinking of using the concept from one-time-passwords. The server generates a new token on each request and only accepts each token once. If a baddie gets the token they can't use it if the legit user already has, or if they use it before the legit user, the legit user gets locked out and they know something is wrong.

I'm trying to do something that really wants authenticated sessions and I really want to do this right.

Update:

Even if I don't write my own session handler, I should know how sessions are supposed to work so I can pick a good one to use.

Replies are listed 'Best First'.
Re: Session Security?
by boblawblah (Scribe) on Feb 18, 2009 at 20:13 UTC
    Are you using the CGI module? If not - you really should be. Look into CGI::Session - it takes care of all the hard stuff for you.
[reply]
Re: Session Security?
by Your Mother (Archbishop) on Feb 18, 2009 at 20:32 UTC

    Writing your own session stuff is one step above writing your own template engine and both are generally a mistake unless approached as learning exercise.

    Do some super searching here for session and on the CPAN. Once you find the engine you want, probably CGI::Session, or if you're in the mood for a learning experience which repays richly, Catalyst + Catalyst::Plugin::Session. I think there is also a token plugin for the Cat stuff. If I'm wrong it would be pretty easy to add (well, once you have the hang of Cat). But if you're running under SSL that doesn't seem super important.

[reply]

Back to Seekers of Perl Wisdom