Yaerox has asked for the wisdom of the Perl Monks concerning the following question:

I'm using Perl CGI and I got 3 script for an login system.

index.pl -> user needs to input stuff here
login.pl -> getting called if the user hits the login button - checks if the enteres stuff is the same in database
result.pl -> getting redirected to this if the login was successfull.

login.pl
# Includes
use strict;
use warnings;

use CGI;
use DBI;
use Digest::MD5 qw(md5 md5_hex md5_base64);

# Get Parameters
my $p_sUsername = param( 'username' );
my $p_sPassword = param( 'password' );
$p_sPassword = md5_hex( $p_sPassword );

if ( !defined( $p_sUsername ) || !defined( $p_sPassword ) ) {
    print redirect( "access-denied.pl" );
}

# DB Stuff done here ...

my $oCGI = CGI->new();
my $oCookie = $oCGI->cookie(
    -name => "user", 
    -value => $p_sUsername
    -expires=>'2h'
);

print redirect( "result.pl", $oCookie );

[download]


result.pl

my $oCGI = CGI->new();
print $oCGI->cookie('user'); # this is empty

[download]
What am I doing wrong? I need to pass data from page to page to be able to check if a user is authenticated or not ...

Update:
Seems like I had to use print $oCGI->redirect( -uri => "orders.pl", -cookie => $oCookie );. Now I can get the username on the second page ...

Replies are listed 'Best First'.
Re: Perl Sessions and Cookies - Cookie don't get passed
by Your Mother (Archbishop) on Mar 05, 2015 at 20:53 UTC

    Your redirect is wrong. Always test the real output from the command line or with curl or something if your script isn’t behaving– 

    perl -MCGI=:all -e 'print redirect("http://some/full/uri", cookie(-nam
+e => "x", -value => "y" ))'
Status: 302 Found
Window-Target: x=y; path=/
Location: http://some/full/uri

    [download]

    This—Re: CGI::Application redirect loses cookie—shows redirect with cookie with CGI.

    Couple other points–

    • Redirect URIs RFC:MUST be absolute. Most browsers do the right thing on relative ones but it’s still wrong.
    • No customer/user/db specific information should ever, ever, ever be in a cookie. Ever. Not even encrypted, perhaps a signed hash but that’s a different kettle of clams: https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Cookies.
[reply]
[d/l]
[select]
      Thanks for the other points, I'll take a look on it. I rebuilded this stuff by using CGI::Session now. It works fine, and I'm actual just saving the username and a sessionID to validate the user on every page.
[reply]
Re: Perl Sessions and Cookies - Cookie don't get passed
by fishmonger (Chaplain) on Mar 05, 2015 at 14:49 UTC

    You might want to consider using CGI::Session to store the session data on the server instead of the client.

[reply]
      I'd like to be able to go the same way like I'd do in PHP. I don't get this in Perl the way I want to ...
      I rewrote my scripts by using CGI::Cookie but now I got the problem that I can't expire the cookie when I want to. It expires by what I configured but on my logout script I'd like to delete the cookie immediately.

      Tomorrow I'll do a second try by using CGI::Session ...
[reply]

        To prevent XSS attacks you should have a 'logged in' hidden input. Clear this input to logout, leave the Cookies as they are.

        It's been awhile since I've worked with HTTP sessions, but if memory serves you should be putting the last login name into a cookie and the "this user is logged in" data into form fields or a this cookie is logged in untill after on the server.

        You definitely should not be using cookies to determine if a user is logged in, that much I remember clearly. You need either server side session or form variables. Place a "good for so long" password hash into an HTML hidden input and you'll do just fine.
[reply]

Back to Seekers of Perl Wisdom