Session Cookie Mod
Copyright 2000, oldmoney

Summary: Session Cookie Mod creates a persistent session, enabling users to login to your DB just once per session. Now they can go to other non-DB pages on your site or even other sites, and when they return to the DB they are still logged in provided they have not closed all browser windows (e.g. killed the session cookie). Sessions expire and users can still log off as per normal.

Requirements: Matt's HTTP Cookie Library, found at www.worldwidemart.com/scripts/cookielib.shtml

Instructions:

1. Download cookie.lib, change the variable $Cookie_Domain = '.yourdomain.com'; and upload to your server with the permissions 644.

2. In db.cgi, add
after
and add
after

3. In auth.pl, replace
with
and replace
with

That's it... some final thoughts: I have tested this with multiple DBs sharing a common auth and password files. It will require substantial modification if you are running multiple DBs with separate password files. You can cut down on server overhead by moving most of the static HTML out of default.pl, and could also extend this mod to completely eliminate the authorization check for viewing records (assuming your DB is configured to allow the default user). Finally, integration with other scripts should be easier since the current session is now stored in a cookie.

------------------
The Immuatable Order of Modding
-=-=-=-=-=-=-=-
1. Read the FAQ, 2. Search the board, 2a. Search the board again, 3. ask the question, 4. back-up, 5. experiment, 6. rephrase question (or better yet, post solution to original question)

[This message has been edited by oldmoney (edited April 01, 2000).]

Great job, oldmoney...I am sure that many DBMAN users will appreciate this Mod.

Regards,

------------------
Eliot Lee....
Former Handle: Eliot
* Check Resource Center
* Search Forums

Oldmoney!!!!!

You are a god!!! Right up there with Carol and her understudy (Elliot).

This will have to be one of the most important mods to come through yet for dbman!

(Atleast in my opinion anyways - considering I've been hacking away at something like this and failed on many occassions.)

Great job!!


------------------
-----------
millsie :)

A smile a day...
keeps the viri' away.

Thank you both for the kind words... I happen to think this mod should become a standard install for all DBMan projects like Carol's secure password lookup, but then again I'm a little biased ...

------------------
The Immuatable Order of Modding
-=-=-=-=-=-=-=-
1. Read the FAQ, 2. Search the board, 2a. Search the board again, 3. ask the question, 4. back-up, 5. experiment, 6. rephrase question (or better yet, post solution to original question)

I haven't looked into this a whole lot yet, but does it require that the users accept cookies?


------------------
JPD

Yes, the mod requires that users accept cookies, specifically session cookies. On IE5, there are separate security settings for both regular cookies (written to HD) and session cookies (volatile) to accept/reject/prompt.

If they do not (or cannot?) accept the session cookie, the mod will efficiently degrade to default behavior, that is, leave a DBman page-lose the login.

------------------
The Immuatable Order of Modding
-=-=-=-=-=-=-=-
1. Read the FAQ, 2. Search the board, 2a. Search the board again, 3. ask the question, 4. back-up, 5. experiment, 6. rephrase question (or better yet, post solution to original question)

Thanks for the info. It looks like good work and I'm sure there will be those who will want to use it. I appreciate your contributing the the forum.

(BTW, I had email from someone who uses the same hosting company as you do and they had the exact problem you had with the auth directory. It's definitely a server problem. I'm still trying to think of a workaround for it.)


------------------
JPD

Well...

Your session cookie works perfectly... For IE... however for Netscape.. it doesn't...

I've just finished intergrating a postboard with DBman and it's perfect as long as they Users are using IE..

Netscape is another story...

Any Ideas??

------------------
-----------
millsie :)

A smile a day...
keeps the viri' away.

I used Matt Wright's popular HTTP Cookie Library for all of the cookie functions, specifically the functionality described in his readme as...

There appears to be a basic incompatibility with Navigator and the &SetCookies function in the Library, not with the rest of my code. I may investigate this later, but will unlikely have time to do so for the next month or so as I will be traveling...

For now, consider this an IE-only mod, which is fine by me...

------------------
The Immuatable Order of Modding
-=-=-=-=-=-=-=-
1. Read the FAQ, 2. Search the board, 2a. Search the board again, 3. ask the question, 4. back-up, 5. experiment, 6. rephrase question (or better yet, post solution to original question)



[This message has been edited by oldmoney (edited April 16, 2000).]

I installed your MOD exactly as perscribed, and it works perfectly for both IE and Netscape. I know it's not just my computer, as dbman is being tested by over 40 other people, about half using netscape. No problems with it. Just make sure you enter your domain name (or your IP address) in cookie.lib, as it indicates.

Also, note that IE is usually more forgiving when it comes to syntax, while Netscape is pretty picky about it.

--Lee

Yes, the MOD works exactly as perscribed on both IE and Netscape. I did encounter a problem initially with Netscape however. All the code above works perfectly. However, in the cookie.lib where it says:
$Cookie_Domain = '';
I first tried do it like this:
$Cookie_Domain = 'domain.com';
This worked for IE but not Netscape.
So then I tried this:
$Cookie_Domain = 'www.domain.com';
This worked for both IE and Netscape. I guess the problem with Netscape is it doesn't recoginze www.domain.com and domain.com as being the same thing.

That's what happened for me.
Adam

Ok....Of course I find an issue. It's strange (to me).

I have 2 db's running at say these addresses:
www.domain.com/cgi-bin/dbman1/db.cgi
www.domain.com/cgi-bin/dbman2/db.cgi
Both use the same .pass auth/ and .log

I login to either one and go out and back to the same one and the cookie works great.
However,
I login to one and try to go to the other and ......nope.....doesn't work, it prompts me to login again.

If I login to both I can go back to both.....

Any ideas? Are cookies that specific (I thought they were only domain specific).

Thanks for the help!
Adam

I figured it out.

When $Cookie_Path = ''; is left blank it uses the path that sets it.
So I changed it to $Cookie_Path = '/cgi-bin'; and now it seems to be working. (Still in both Netscape and IE.) Log into one, cookie is set, head over to the other and the door is wide open

HI!

I just started using this, really cool! My question is this: can I grab the sessionID to use it within the URL.

Reason is that I sometimes lets the users go off to none DBMan pages and from there want them to be able to return to a specific page/file within DBMan.

For this to work- you need the proper URL, i e "cgi-bin/dbman.cgi?db=data&uid=USER.99703043932596&check=1"

for instance...

if the USER.84747463636 isnt in there, they are thrown to the login.

I guess Im doing something wrong here.... any help most appreciated!

Thanks! :)

Once they log off or exit the DB they loose their login status. What you could do however is to just have the other pages open up in a new window?

Unoffical DBMan FAQ
http://webmagic.hypermart.net/dbman/

Cool. Thats actually exactly what I do, and its working fine now - here is what happens:

* User is logged in and "cookied" in DB Man
* Enters a section outside of DB Man through new window
* Returns to DB Man through a link from that new window, and keeps the login status because of the cookie

Now, only prob is that when the user returns - its without the session info in the URL as I cant provide a link containing that from the new window. This is kind of OK as the user will still be able to use DB Man, as its logged in through the cookie. BUT, the DB Man script doesnt recognize the user as "fully" logged in because of the fact that the session ID is not provided in the URL.

I know, its tough to follow the above, but I hope you understand what Im meaning...

----

Another question on a similar note: how can I pass on values from DB Man into another .cgi driven application that is opened up in a new window? i e <form> <input typer=hidden value=something_from_a_dbman_field> ..... <submit>

Thanks! :)

Can't they just close the other window and return to the database .. where they would still be logged in?

The answer to your second question might be found in the FAQ noted below under the section for "Files / Records". I think i recently posted a thread related to doing that.

Unoffical DBMan FAQ
http://webmagic.hypermart.net/dbman/

Eric, you are correct in that when they return to the DB from a non-Db page they are still logged in *but* the session is no longer embedded in the URL. However, when they next select any DBman link (or function), the session ID will be automatically "re-acquried" by DBman and added to the new URL. Hope this makes sense... and if yours doesn't work this way, I'll have to dig out my code and see why because mine does. :)

If you absolutely must have the session ID embedded when they *first* come back, this is certainly possible but not the way it is currently constructed.

What are the commands for killing an existing cookie set by this mod? Thanks!

The cookie should be stored in a file called cookies.txt on your own computer .. you should just be able to remove that reference from the file or start over with a new cookie.txt file.

Unoffical DBMan FAQ

http://creativecomputingweb.com/dbman/index.shtml/

Hmm I'm not sure it is cookies.txt

You'd need to clear your cookies directory and or temporary internet files to delete the cookie.

Hi again

When looking at what other sites cookies looks like they are usually named:

Cookie:username@msn.com

and the same string is used for the "Internet address" field.



The cookies that gets produced through my db man (using above) doesnt however, they are instead named with the URL of my script...



Why is this? Can I change this in the settings for cookie.lib?



Thanks!

Is dbman on the same server as the web browser?

I run apache on my pc and all cookies are user@domain.com except those for local domains which show the url. That might be the reason?