http://www.perlmonks.org?node_id=45107

lindex has asked for the wisdom of the Perl Monks concerning the following question:

Ok so Iam working on this small mod_perl project. This project requires me to use cookies to maintain session info, but very small session info such as username,password,time of login. now usally I would do this by just creating a string with a delimiter and using that as the cookies value. But as I was sitting there I realized it would be really cool if I just serialized an array as my cookie value and then just used it on every sessions use. Now mind you I havent had much use for serializing data in perl so I might be wroung in the entire idea but here is some basic code to give an example as to what Iam doing. 
use Storable qw(nfreeze thaw);
sub make_cookie {
 return($q->cookie(
  -name=>'sessionID',
  -value=>unpack("H*",nfreeze(['1245','foo','foopass'])),
  -expire=>'+10m',
  -secure=>0
));
}

sub see_cookie {
 return(@{thaw(pack("H*",$_[0]))});
}

[download]
I think that this idea should work, but Iam getting an error from storable saying "Magic number checking on storable string failed etc etc ..". would anyone care to shed a little light on my situation?


lindex 
/****************************/
  jason@gost.net, wh@ckz.org
    http://jason.gost.net
/*****************************/

[download]

Replies are listed 'Best First'.
Re: Serializing Cookies ???
by steveAZ98 (Monk) on Dec 06, 2000 at 03:04 UTC
    This code seems to work for me if I change from nfreeze to freeze as in the code below. I'm not sure what your error means, I was unable to duplicate it. Here are two scripts that I put together to test these routines.
    HTH 
    #!/usr/bin/perl -w
use CGI;
use Storable qw(freeze);
my $q = CGI->new();

sub make_cookie {
    $q->cookie( -name=>'Test',
                -value=>unpack("H*",freeze(['1245','foo','foopass'])),
                -path=>'/' );
}

print $q->header(-cookie=>make_cookie());
print $q->start_html(-title=>'Test cookie');

print "Cookie Set<br>";

print $q->end_html;

    [download]
    and this to retrieve the cookie. 
    #!/usr/bin/perl -w
use CGI;
use Storable qw(thaw);

my $q = CGI->new();

sub see_cookie {
        @{ thaw( pack("H*",$_[0]) ) };
}

print $q->header();
print $q->start_html(-title=>'Test cookie');

print "Cookie Value: ", (join " -- ", see_cookie($q->cookie('Test')) )
+, "<br>";

print $q->end_html;

    [download]
    Update:
    I tried these scripts under mod_perl also and they work in that enviorment also (Apache::Registry), I would take a look at your Storable module.
[reply]
[d/l]
[select]
      Hmm maybe its the install of Storable on my machine, or maybe mod_perl has issues with Storable or vice versa?


      lindex 
      /****************************/
  jason@gost.net, wh@ckz.org
    http://jason.gost.net
/*****************************/

      [download]
[reply]
[d/l]
Re: Serializing Cookies ???
by lhoward (Vicar) on Dec 06, 2000 at 03:23 UTC
    The docs from CGI::Cookie indicate that it already supports automatic serilization of simple datasturctures:
    ... The value can be a scalar, an array reference, or a hash reference. (At some point in the future cookies will support one of the Perl object serialization protocols for full generality). 
    use CGI::Cookie;

$cookie2 = new CGI::Cookie(-name=>'preferences',
                           -value=>{ font => Helvetica,
                                         size => 12 } 

print header(-cookie=>[$cookie2]);

    [download]
[reply]
[d/l]
(Ovid) Re: Serializing Cookies ???
by Ovid (Cardinal) on Dec 06, 2000 at 02:47 UTC
    I can't comment on your actual problem, but I thought I should point out that using cookies to store password information is not a very secure practice. You can check out http://www.google.com/search?q=cross-site+scripting+vulnerability+cookie+javascript for some examples of how easy it is to snatch passwords this way. Also, are you running on a secure server? If not, then you're sending the password out every time the cookie is set, thus increasing the vulnerability. Since you are sending the username WITH the password, you're handing over the keys to the kingdom.

    Cheers,
    Ovid

    Update: lindex has a good point. Sometimes this isn't an issue.

    Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]
      this issue of security is very minor in this script. Iam well aware of the risks of storing passwords in formdata or cookies, But all the authinication tables in sql (oracle) are controled from a linked access database that is for all intent world readable+writeable, So I just do what my boss tells me and try and have fun with my code along the way :)
      update
      plus the network is all internal
      the ppl using it dont have access to the "int0rnet soopa hIway" :)



      lindex 
      /****************************/
  jason@gost.net, wh@ckz.org
    http://jason.gost.net
/*****************************/

      [download]
[reply]
[d/l]

Back to Seekers of Perl Wisdom