Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

always logged in with CGI::Session

by boboson (Monk)
on Mar 24, 2006 at 11:26 UTC ( #538997=perlquestion: print w/ replies, xml ) Need Help??
boboson has asked for the wisdom of the Perl Monks concerning the following question:

I am creating a webpage with user login functionality
When the user has registered as a member, a mail is sent to his emailaddress with an activation link. When I test this on the same computer the strangest thing happens.
If I create 2 members
I follow the activation link in the email and activate member 1 in the browser window that will popup. The member logs in, some sessionvariables are set such as
$session->param('mid' => $id_from_db); $session->param('member_type' => $member_type_id_from_db); $session->param("~logged-in", 1); $session->expires("~logged-in", "+120m"); # expires ~logged-in flag in + 30 mins
I close the browser, I don't logout, I just close the browser.
I now tries to activate member 2 by clicking on the activation link, another browser window popup.
To my surprise the session variables from member 1 are still set wich makes it possible for me to do whatever I want into member 1's account.

I doesn't matter if I:
- Don't close member 1's browser after activation
- Close all browsers, and then try to activate member 2 again, I am still loggedin as member 1
- Skip the $session->expires("~logged-in", "+120m"); line
The same thing will still happen

Why does this happen?

I try to explain the application below

I have a CGI::Application baseclass which sets the session using CGI::Application::Plugin::Session;
sub cgiapp_init { # application object my $self = shift; # init session $self->init_session("sid"); } sub init_session { # application object my $self = shift; my $name = shift; # change name from CGISESSID to shorter sid CGI::Session->name($name); # init session object using CGI::Application::Plugin::Session my $session = $self->session; # send session to header $session->header(); }
In my application class which inherits from the baseclass I check if the user is logged in or not
sub cgiapp_prerun { # application object my $self = shift; # check member access and redirect accordingly $self->accessControll; } sub accessControll { # application object my $self = shift; # get cgi query object my $q = $self->query(); my %post = $q->Vars; # get session object my $session = $self->session; # if login is not old if($self->init() ne 2){ # Redirect to startpage if login if ($session->param("~logged-in")) { $self->prerun_mode($config->{login_successRM}); } } # after the third login attempt, redirect if ( $session->param("~login-trials") >= 3 ) { # change password for username # UPDATE password in USERNAME table $self->redirect_output_now('login_error'); } # Redirect to startpage if logout if( $self->get_current_runmode() eq "logout"){ $self->logout(); $self->prerun_mode('logout'); } } # # $post{lg_name} and $post{lg_password} are sent from my login form # sub init { # application object my $self = shift; # get cgi query object my $q = $self->query(); my %post = $q->Vars; # get session object my $session = $self->session; # database handle my $dbh = $self->param('dbh'); if ( $session->param("~logged-in") ) { return 2; # if logged in, don't bother going further } my $lg_name = $post{lg_name} or return; my $lg_psswd = $post{lg_password} or return; # if we came this far, user did submit the login form # so let's try to load his/her profile if name/psswds match my @sql_bind = ($lg_name, $lg_psswd, 1); my $sql_statement = qq/ SELECT ID, MEMBER_TYPE_ID, UNAME, PWORD FROM MEMBER WHERE UNAME=? AND PWORD=? AND ACTIVE=? /; my (@loop_data) = $self->fetchLoopData($dbh, $sql_statement, @sql_bin +d); if(@loop_data>0){ # login information $session->param('mid' => $loop_data[0]{ID}); $session->param('member_type' => $loop_data[0]{MEMBER_TYPE_ID}); $session->param("~logged-in", 1); $session->expires("~logged-in", "+120m"); # expires ~logged-in flag +in 30 mins $session->clear(["~login-trials"]); return 1; } $session->param('info' => 'returnera 3'); # if we came this far, the login/psswds do not match # the entries in the database my $trials = $session->param("~login-trials") || 0; return $session->param("~login-trials", ++$trials); }

READMORE tags added by Arunbear

Comment on always logged in with CGI::Session
Select or Download Code
Re: always logged in with CGI::Session
by bibliophile (Parson) on Mar 24, 2006 at 15:31 UTC
    Hi boboson, I'm just figuring out CGI::Session myself...
    I think you have a typo - $session->expires shouldn't have the 's', according to the docs: CGI::Session

    I'd think that you would want to expire the session after a shorter period of inactivity....?

    Update: There's a section on this in the tutorial.

    Hope that helps :-)

    Further update: I'm wondering about something... does your module always give the session(s) the same session id? I admit that I haven't played with CGI::Session->name()... :-/

    -- WARNING: You are logged into reality as root.
      Yep, your'e right the (s) shouldn't be there. However it still works with the (s)??? Don't ask me why!
      I read in a post doing a supersearch that if you don't supply the expire, the session would expire when the browser window is closed. This doesn't seem to be true, or it is true and my application always gives me the same sessionid.
      It sure feels like it always gives me the same session id. I use the name() function to shorten the "CGISESSID" name variable to just "sid", because if a user doesn't have cookies activated I can send the sessionid with a name of my choice like this:
      # get sessionid for querystring if ($q->cookie('sid') ne $session->id()) { $tmpl->param(sid => "&sid=".$session->id()); }
      Do you have any clue how to prevent the same sessionid to be set?
        Sorry, I've been out of the office for the last week :-)

        I'm only guessing here... but take a look at: session_config. Maybe you want to use that in your init_session routine, rather than using CGI::Session->name()?

        Let me know if that changes anything - I'm quite curious (as I'll be needing something like this myself in a while!)

        -bib

        -- WARNING: You are logged into reality as root.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://538997]
Approved by Arunbear
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (6)
As of 2014-12-20 13:26 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (95 votes), past polls