On Mon, 12 Jun 2000, Dylan Weed wrote:
> Option three (removing all page-specific state from the session hash)
> seems like the right thing to do.
It is. I don't know any other way to handle this situation correctly.
> I'd like to avoid it if possible, however, because it means passing
> more information through URLs and having to secure it.
Securing it isn't that tough. If you just want to be sure it wasn't
tampered with, an MD5 token can take care of it, like Apache::TicketAccess
uses. If you don't want people to read it, you can use one of the
Crypt:: modules from CPAN. The O'Reilly "Algorithms in Perl" book has a
nice discussion of them.
- Perrin
