Perobl has asked for the wisdom of the Perl Monks concerning the following question:

Howdy Monks.

I have been using CGI::Session to maintain state awareness in a website I've been developing. It works great.

To date, I have been allowing a limited number of users to log into the system without a secure connection. I have now set up SSL, and it was my intention to use it at logon only. I wish to eliminate the vulnerability of someone potentially sniffing out PW information on its way to the server.

Upon sending this sensitive information to the server, the user is authenticated via a CGI. This same CGI also invokes a session object for the user. As is customary, the SID follows the user thru the site. Once logged in, the SSL connection is dropped.

I know that some may take issue with this decision. We've taken this approach because we will be sharing large CAD files via this system using a viewing tool called "eDrawings". Quite simply, we want to serve these large files as quickly as possible (via a less secure HTTP connection). We are limiting the lifespan of the session object, and feel (all things considered) this is a reasonable approach.

The problem I have occurs immediately after I transition the user away from the SSL connection. That is, post login I send the user to a CGI via a HTTP connection. The session object has already been invoked as part of the logon process. Unfortunately, the session object is no longer recognized. I'm unclear on what is happening. I'm guessing it has something to do with the session object being invoked via the SSL connection? Is this information also saved in the session object?

Can someone help me to better understand this process? Thank you!

Replies are listed 'Best First'.
Re: CGI::Session Question
by Anonymous Monk on Mar 23, 2011 at 00:01 UTC
    Can someone help me to better understand this process? Thank you!

    Write a small program, say with WWW::Mechanize, and examine the headers sent and headers received, as you login, then surf to non https page

[reply]
Re: CGI::Session Question
by locked_user sundialsvc4 (Abbot) on Mar 22, 2011 at 21:56 UTC

    Most of the time, cookies that are issued through HTTPS connections are flagged so that the browser will not furnish them through non-secure connections.   This is most likely to be the cause of your problems here.

    Is there a compelling reason why you are sending the CAD files without encryption?

      Thanks.

      Unfortunately cookies aren't an option for this project. There is concern that some of our users won't have them turned on. So the project parameters require us to use a session file on the server.

      The CAD files are of 3D models (large assemblies) and one of the goals of this project is to serve them to our users as quickly as possible. If they are encrypted, they cannot be served as quickly. We currently provide similar access to similar files via a VPN tunnel and it is slow. After weighing all of our options, this is what we've decided to do and this too is a project parameter.

      But my question pertains to the use of CGI::Session. If CGI::Session is called via a SSL connection, and the session object is instantiated via that connection, can you later change the connection (i.e. utilizing a non-secure HTTP header) without breaking the session object? Do you have to maintain the HTTPS connection for the object to remain valid?

[reply]

        You mention that

        ...the SID follows the user thru the site.
        And also that you're not using cookies (there are reasons not to as you mention).

        How do you pass the SID to and get it back from the browser? In the URL, a hidden form field? In what way is

        ...the session object... no longer recognized.
        Can you see the session file or the db record created (whichever you're using)?

        I don't use CGI::Session without cookies myself and I don't have a SSL site to hand to play with. Could you post a small snippet that demonstrates the problem you're seeing?

        It could be that if you're not using cookies you may not need to use CGI::Session.

[reply]

Back to Seekers of Perl Wisdom