Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Re: How to code security for Expires Page

by jorg (Friar)
on Jun 06, 2001 at 15:45 UTC ( #86172=note: print w/replies, xml ) Need Help??

in reply to How to code security for Expires Page

You're looking to build a user session that is constructed upon logon and invalidated after a timeout or when the user presses 'logout'. Mind you that browser caching often can get in the way here so you need to be carefull.

Generally there are three ways of building the notion of state (or session) for a webuser :
  • Carry all your variables and userinfo around in hidden variables (NOT recommended)
  • Cookies (NOT recommended because will fail if the user has cookies switched off)
  • URL rewriting : Assign a unique sessionID to each logged on user and append this ID to each URL

    A supersearch on keyword 'session' reveals a lot of stuff that should send you on your way.


    "Do or do not, there is no try" -- Yoda
    • Comment on Re: How to code security for Expires Page
  • Replies are listed 'Best First'.
    Re: How to code security for Expires Page
    by pmas (Hermit) on Jun 06, 2001 at 17:48 UTC
      I want to provide little more guidance. One more reason why not to use cookies: Cookie data are limited (I believe max 2K). For PDA it might be even less. It really should be only some kind of ID.

      How to use SessionID:

      You need to store sessionID in database. For each sessionID you'll store all needed information, like UserID (no need to put it into cookie). When user logs in, you'll check if s/he has a session, if it expired etc and read all info you thought you wanted to store in cookie. You may not allow new login before old session expired to avoid multiple persons accessing same data.

      If sesionID is valid, you may want to 'renew' expiration timestamp, so session will expire i.e. after 15 minutes idle.

      For valid new login, you create new sessionID (really big random number) and pass it on into every page in that session. Even if malicious user will try to subvert your security, there is little chance s/he will guess valid sessioID and be able to impersonate other user.

      Hope this helps.


        How can i generated the session id coz IIS normally generate it for me but do cgi also done that. coz i really new in cgi-perl

    Log In?

    What's my password?
    Create A New User
    Domain Nodelet?
    Node Status?
    node history
    Node Type: note [id://86172]
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others rifling through the Monastery: (4)
    As of 2021-09-19 11:53 GMT
    Find Nodes?
      Voting Booth?

      No recent polls found