Persistant cookie issue.

UnderMine has asked for the wisdom of the Perl Monks concerning the following question:

Hello fellow Monks

The following code is supposed to store login username in a cookie or clear the existing cookie info if the login fails. The cookie is supposed to be persistant for upto 1yr if auto_login is checked.

The issue I am having trouble with is it is not persistant when set and it is not cleared down correctly.

use CGI;
use CGI::Carp qw{ fatalsToBrowser };
use CGI::Cookie;
use strict;
use HTML::Template;

my $cgi = new CGI();
my $template;
my $validated;

# Validation of login removed

if ($validated) {
  my $cookie = new CGI::Cookie(-name    =>  'star',
                               -value   =>  $cgi->param('username'),
                               -expires =>  $cgi->param('auto_login')?
+'+365d':'+3h');
  print $cgi->header(-cookie=>$cookie);
  $template = HTML::Template->new(filename => 'login-success.tmpl',
                                  die_on_bad_params => 0);
  $template->param('successURL'=> $successurl);
} else {
  my $cookie = new CGI::Cookie(-name    =>  'star',
                               -value   =>  undef,
                               -expires =>  '+1s');
  print $cgi->header(-cookie=>$cookie);
  $template = HTML::Template->new(filename => '../index.html',
                                  die_on_bad_params => 0);
}
print $template->output();
[download]

I am currently at the serious hairloss stage and appear to be blind to the error of my ways.

Asking for a bit a meditation
UnderMine

Comment on Persistant cookie issue. Download Code

Replies are listed 'Best First'.
•Re: Persistant cookie issue. by merlyn (Sage) on Nov 28, 2002 at 00:43 UTC
Don't use that logic. You should only "brand a browser" with a cookie. Put the login/logout logic on the server-side. Don't trust that erasing a cookie will erase a cookie. See my column on that for details. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re: Persistant cookie issue. by UnderMine (Friar) on Nov 28, 2002 at 09:37 UTC
Thanks for that. I have modified the system to overwrite the cookie with a new value `'loggedout'` rather than try to erase it. This seams to work a lot better now and normally I brand the browser short term but in this case I need persistance between browser sessions (Yes I hate it too). Hope that is clear UnderMine	[reply] [d/l]
•Re: Re: Persistant cookie issue. by merlyn (Sage) on Nov 28, 2002 at 15:20 UTC
I have modified the system to overwrite the cookie with a new value 'loggedout' rather than try to erase it. I think you missed the point then. The browser doesn't have to respect that request either. And if it doesn't, are you trusting that old cookie that says that the user is still logged in? {sigh} Please read the article again. Do not trust anything from the browser. Use a cookie only to distinguish this browser from that browser. Do not use cookies for anything regarding state. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re: Persistant cookie issue. by UnderMine (Friar) on Nov 28, 2002 at 16:32 UTC