There are many ways to do it, here's mine:
I wanted to semi-securely identify users to my site, having them log in
once, and then never have the need to login again (as long as they're at the
same computer)
So, I used cookies (perldoc CGI) to set a unique session ID, once a user
had logged in.
When a user enters a username and a password, the username is looked up and
if the MD5 hash of the password matches the one stored in the Database, a
sessionID is created. In order to generate a SessionID which is reasonably
tamper proof, I concatenated the IP address the person was connecting from
($ENV{REMOTE_ADDR}) with the username they had, and tacked on a 10 Digit
random number.
I then used Digest::MD5 to create an MD5 base 64 hash of this value, which
was set as a cookie on the visitors computer. The random number, the IP
address, the numeric ID of the user, and the Session key were stored in a
sessions table.
now when a user visits the site, most of the time I just lookup the
sessionID returned by CGI->cookie('SessionID') and assume that they're
logged in correctly. In cases of high security (admin functions) I can
regenerate the MD5 hash from the table to ensure it matches.
here's the code to store a cookie.
use CGI;
my $q = new CGI;
my $cookie = $q->cookie(-name=> 'Name of Cookie',
-value=> 'Value of Cookie',
-expires=> '+1y' , # cookie lasts a year
-domain=> '.allakhazam.com'); #
print $q->header(-cookie=> $cookie,
-content-type=> 'text/html');
To get a cookie:
use CGI;
my $q = new CGI;
my $cookie_value = $q->cookie('Name of Cookie');
# $cookie_value is now 'Value of Cookie'
For excellent reading on different ways to use SessionIDs, consult the
"Writing Apache Modules in Perl and C" from O'Reily's. Also consult the
cookie spec at Netscape.com
(http://www.netscape.com/newsref/std/cookie_spec.html)
For more info on controlling cookies from CGI.pm, consult it's
documentation.
Hope that helps,
--A
-----Original Message-----
From: Brian Shoemaker [mailto:[EMAIL PROTECTED]]
Sent: May 8, 2001 4:59 PM
To: [EMAIL PROTECTED]
Subject: Session Variables
Hello.
I am attempting to find some information on using session variables in
Perl/CGI.
When someone logs into my site, the script will check a flat-text database
and if the user has entered a correct username and password, the user will
be validated. At this point, a session variable will be set so the user will
not have to login again.
Unfortunately, I can't seem to find any information about how to do this.
Any info would be appreciated.
Brian Shoemaker
