Murali,
Yes I have a site that uses the exact mechanism that you state. As Jeff
said though, you should have an "auto-logout" feature. I implemented this
as a cron job that runs every 30 minutes and checks each session for the
last time it has been accessed. I'm sure there are other ways to
auto-logout - I thought doing it outside of mod_perl is a good idea just to
take some load off of it.
-Adi
Jeff Beard wrote:
>
> This is a question for comp.infosystems.www.authoring.cgi.
>
> But since I'm here...
>
> I would check for the cookie every time a request is made. If you use
> Apache::Session there will be a separate session data store from the user
> data. Which is probably what you really want. Apache::Session will allow
> you to associate whatever data you like with the session id within it's own
> schema.
>
> If the browser is closed, the cookie will remain. You can have a logout
> feature but there will always be a significant percentage of users that
> won't bother. So limit the life of the cookie with the time value and
> periodically cull stale sessions on the server.
>
> --Jeff
>
> At 05:21 PM 4/19/00, Differentiated Software Solutions Pvt. Ltd. wrote:
> >Hi,
> >
> >My question is much more basic than that. I wanted to validate my design
> >ideas on a programmatic security.
> >I would like somebody to go through the following and tell me that I'm on
> >the right track.
> >
> >The idea I had was, at the time of login, I generate the session id which I
> >write to the cookie.
> >I have also tied to this session_id the user's login profile.
> >Every other screen checks for the cookie's existence and reads back the
> >session_id and gets the user's profile. I hope I'm right till then.
> >When the user signs out then we can delete the tied file.
> >Now any person who has access to the same browser will still have to login
> >to get to the inner pages.
> >
> >If the browser is killed without sign-out from the system, even then there's
> >no problem.
> >Next person who gets access to the browser and tries to access any inner
> >page will not be able to, because the cookie with the session-id does not
> >exist.
> >
> >Am I right ??? Please help.
> >
> >Thanks,
> >
> >Murali
> >
