A perl session question

rajivp has asked for the wisdom of the Perl Monks concerning the following question:

I have group of websites with a single user database. I assign each user a single home site based on their original registration. If a user logs in from his/her home site, the normal login process takes place. However, if a user attempts to login from a site other than his/her home site, I redirect the request to the home site. Following is the sequence of calls in the event user logs in from non-home site.

http://non-homesite/login.cgi - The perl code in non-homesite server redirect to http://homesite.com/login.cgi?UserId=xxx&Password=yyy

The home site upon receiving the request, processes the login and this time the perl code in the home site redirects to http://homesite.com/memberoptions.cgi

This works OK. But the problem is that the URL (revealing the password as one of the params) for the first redirection shows in the browser location bar briefly (before it is replaced by the second redirection URL).

I am using CGI::Session to set the sessions. I would like to be able to do 1 of the following 2 things.

1. Not have the params show (in the browser location bar) during the first redirection. It appears that GET is the only method I can use during redirection (which I do using CGI.pm methods)

2. Set the session for the home site, from a non-home site. This again looks like not a possibility in the normal way with CGI::Session as cookies for the domain would need to be set.

Is there a third way? My goal is to get the user automatically logged to the home site regardless of the site he/she is logging into.

My knowledge of perl and other web technologies is very limited. I would appreciate any advice.

Comment on A perl session question

Replies are listed 'Best First'.
Re: A perl session question by moritz (Cardinal) on Jul 14, 2010 at 06:01 UTC
There is no good reason to do a redirect before setting the cookie. On every page you display, the login form can send its data (as POST please) directly to `http://homesite.com/login.cgi` instead of first going through `http://non-homesite/login.cgi` After the authentication was successful, you can still do a redirect. Perl 6 - links to (nearly) everything that is Perl 6.	[reply] [d/l] [select]
Re^2: A perl session question by rajivp (Novice) on Jul 14, 2010 at 06:28 UTC
May be I did not explain this correctly. The home site could be different for different users. Say I have a.com, b.com and c.com as the group of sites. And say I have user X and user Y. For user X the home site could be be a.com, while for user Y the home site could be c.com - If user X logs into c.com, I need to redirect him/her to a.com. Likewise, if user Y logs in to a.com or b.com, I need to redirect him to c.com So up front, I do not know what the home site would be. It is only after I have a userid, I look up the home site based on user id and redirect to appropriate home site. It is possible to re-present the login screen but that would not be an automatic login.	[reply]
Re^3: A perl session question by moritz (Cardinal) on Jul 14, 2010 at 06:37 UTC
I'd find it a bit weird to log into a site and end up on a different site, but that's your choice of course. One way around is to do it as you do it now, but encrypt the password with something like Crypt::CBC. You just need to a common, secret key or passphrase on all three servers. This doesn't scale to sites that don't trust each other, in which case you need something more complicated, like for example OpenID. Perl 6 - links to (nearly) everything that is Perl 6.	[reply]
Re^4: A perl session question by rajivp (Novice) on Jul 14, 2010 at 07:37 UTC
Re: A perl session question by Arunbear (Prior) on Jul 14, 2010 at 10:35 UTC
Your option 2 can work if you put the session id in the URL e.g. user logs in to http://non-homesite/login.cgi create a new session (say its id is 123abc) redirect them to http://homesite.com/login.cgi?sid=123abc If your websites are on different servers, you'll need to store the sessions in the database to make this work.	[reply]