pv2100 at gmail
Jul 16, 2011, 10:16 PM
Post #11 of 14
Back to Vincent's original request about session id and login: how secure is
Re: Authentication logic [was: Changing browser URL based on condition]
[In reply to]
your session id? Have you signed it? If not, someone can try to sending
random IDs and break your authentication.
Well, if you sign it and sign it properly, you basically end up with the
same idea in those "Authen + Ticket + Gate" CPAN modules. Besides a time
stamp, you should also sign with user's IP. If the cookie is stolen, the
origin of IP may protect as the last hope.
(if you are using https, then all the above procedures do not matter)
The second idea is that you may not need to store session on the server at
all: if the information in the session is merely user information such as
user id, name, email etc., you can concatenate them into the cookie value
(again, sign it). So the next time the user visits, you automatically get
those information back from the cookie.
On Sat, Jul 16, 2011 at 6:06 PM, Perrin Harkins <perrin [at] elem> wrote:
> On Sat, Jul 16, 2011 at 1:01 PM, Vincent Veyron <vv.lists [at] wanadoo>
> > As I said, I replaced the call to tie with :
> > $r->pnotes('session' => Storable::retrieve($session_file));
> > where $session_file again is retrieved from the cookie.
> > What I can't find out is : how do I store %session into a database
> > without using tie??
> That's what I'm trying to explain. You can either use the Storable
> API to put your session into a string, and then write to a database
> using standard DBI, or you can use a pre-built tool like CGI::Session.
> To serialize your session to a string, you can do something like this:
> use Storable qw(nfreeze);
> $serialized = nfreeze \%session;
> See the Storable docs for more.
> - Perrin