in reply to Re: How to code security for Expires Page
in thread How to code security for Expires Page

I want to provide little more guidance. One more reason why not to use cookies: Cookie data are limited (I believe max 2K). For PDA it might be even less. It really should be only some kind of ID.

How to use SessionID:

You need to store sessionID in database. For each sessionID you'll store all needed information, like UserID (no need to put it into cookie). When user logs in, you'll check if s/he has a session, if it expired etc and read all info you thought you wanted to store in cookie. You may not allow new login before old session expired to avoid multiple persons accessing same data.

If sesionID is valid, you may want to 'renew' expiration timestamp, so session will expire i.e. after 15 minutes idle.

For valid new login, you create new sessionID (really big random number) and pass it on into every page in that session. Even if malicious user will try to subvert your security, there is little chance s/he will guess valid sessioID and be able to impersonate other user.

Hope this helps.

pmas

  • Comment on Re: How to code security for Expires Page

Replies are listed 'Best First'.
Re: Re: How to code security for Expires Page
by Anonymous Monk on Jun 07, 2001 at 14:51 UTC
    How can i generated the session id coz IIS normally generate it for me but do cgi also done that. coz i really new in cgi-perl
[reply]

In Section Seekers of Perl Wisdom