I am using CGI::Application in which my cgiapp_prerun() is as follows:

sub cgiapp_prerun 
{
	my $self = shift;
	my $q = $self->query();
	
	# Open existing session from cookie id, or open new session
	my $session = new CGI::Session(undef, $q, {Directory=>'/tmp'});

	# Delete session if user requested logout
	if ($q->param('rm') eq 'logout') 
	{
		$session->delete();
                # Start new session
		$session = new CGI::Session(undef, undef, {Directory=>'/tmp'});
                # Set session as logged out
		$session->param(-name=> 'logged_in', -value => 0);
                # Change run mode to default run mode
		$self->prerun_mode('default'); 
	} 
	$session->expire('+1h');	
				
	my $cookie = $q->cookie(CGISESSID => $session->id);
        # Send cookie in header
	$self->header_props(-cookie => $cookie);
	# Make session params available to other subs & modules
	$self->param(session => $session);
}

A separate validation run mode, which is used to validate both registrations and logins, sets the session parameter 'logged_in' to true if registration or logon was successful.

Pretty simple and it works. I haven't checked out Apache::Session yet so I don't konw which one would be best to use.

UPDATE:

I've just came across this node which recommends using CGIS::Application because it's CGI::Session enabled CGI::Application. Though I haven't looked at it yet so can't give any opinion on which one would be best.

HTH,

Anne

Hi Anne,

Another option is to use CGI::Application::Session. It also provides seamless integration with CGI::Session. I use Apache::AuthCookieDBI to handle user authentication, but the logic in my cgiapp_prerun handler is similar (if user is not logged in, redirect to a runmode that displays login page).

William

Hi, im using CGI::Application too, but I don't know how to use sessions. I mean, this is the functionality i would like:

1. if a user is unregistered, he just stays at the index page till he presses the register link, which directs him to a register runmode. Then when he registers, i add him to the database, his username,password and email. Then i redirect him to the login page, and show him a login form. When he logs in successfully, and checks a checkbox (make me a cookie or something) i want to create a session for him, where i store his session data in a mysql table.

2. If he arrives at the index page and he's already registered and does have a cookie stored, i want to display a welcome msg to him and so on.

So my question is, where would i put the different stuff? in what subs? would i put it in cgi_prerun? Because i don't want to automatically redirect the unregistered users to a register page when they come to the page, they'll have to click the register button first.

and also, how do i store the session stuff in the mysql table? i mean, does the Driver:mysql take care of it? what if i want more fields? how do i store stuff in them? thank you

timmey, I am no expert on this as I just figured it out for myself, but I'll give it a shot. Please keep in mind that my site is in the development stage and is not being used yet. Nevertheless, here's what I'm doing. Perhaps other, experienced monks will correct anything wrong if I unwittingly lead you astray.

So my question is, where would i put the different stuff? in what subs? would i put it in cgi_prerun? Because i don't want to automatically redirect the unregistered users to a register page when they come to the page, they'll have to click the register button first.

CGI::Application:
I open my databases in setup(). As seen above in a previous post, cgiapp_prerun() is used for session and cookie creation. The only other time I alter session information is after a successful login or registration which sets the 'loggedin' session parameter to true. And that's all there is to session management on my site. teardown() is used to disconnect databases. And so far I have a runmode that validates logins and registrations and a runmode for all other pages.

Registration/Login:
There is a small box on each page of my site, that is used to display information about the current page or section, but also is used to allow logins and logouts. From that box, you can login, go to the register page, or to have your login reset if you forgot the details. Once you are logged in, the box displays a welcome (only directly after a login or registration), allows you to logout, or change your display preferences.

Security Code:
I put all the authentication stuff, namely form creation (login and registration), form validation and password digest generater in a separate authentication module. I fooled around with validation for a while until I came upon Data::FormValidator. D::FV greatly reduced my lines of code and made code maintenance way easy. Also, I don't make the user login after registering, I just set their session 'loggedin' param to true. Obviously the registration page code comes before the login code so it knows what to display in the the information box.

Database Code:
My database functions all go into the same module. Each database function is passed only one parameter, the CGI::Session object. This gives me access to the CGI.pm object, CGI::Session object, and database handles, when I need them. Once I stumbled upon this, things started coming together for me.

CGI Output:
The whole page comes together with a separate module that pulls page components into a template for use with Template Toolkit. Every page is made up of a banner (with a site-wide navbar), footer, left navbar (section specific), and right information box. My section-specific navbars are created automatically based on information stored in a database. That makes it easier to add pages. Now I just create the page, and then add an entry to the database, specifying the applicable section, and other pages specific stuff.

Authorization:
In the same content database, I store an authorization level for each page. My cgi output module checks to see if the user's authz level matches or exceeds that of the page. To handle authz of newly registered users, they all get set to the lowest. And I get an email when a registration occurs. (Actually, the email thing is not yet implemented.) If I see an email address registered that belongs to one of our members or executive, I send them an email asking if they registered, and if so, I up their authorization level. Obviously we don't have a huge membership base or I would have to automate it.

and also, how do i store the session stuff in the mysql table? i mean, does the Driver:mysql take care of it? what if i want more fields? how do i store stuff in them?

CGI::Session:
Stupidly easy to use. Ahhh....once you figure it out, that is. I don't even bother with a database. Just tell it what tmp directory to use and it automatically creates a session file. If you change a session parameter, it automatically stores it. Incredible. If you want another field, add a parameter like so:  $session->param(-name=>'new', -value=>'value');. One thing I'm still thinking about is when to get rid of old session files. I haven't looked into this much so can't help you there yet.

Good luck

Anne