ASPN ActiveState Programmer Network
ActiveState
/ Home / Perl / PHP / Python / Tcl / XSLT /
/ Safari / My ASPN /
Cookbooks | Documentation | Mailing Lists | Modules | News Feeds | Products | User Groups


Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming
MyASPN >> Mail Archive >> modperl
modperl
Re: Implementing security in CGI
by Adi other posts by this author
Apr 19 2000 9:17AM messages near this date
Re: Implementing security in CGI | Apache 2.0 port? 
Murali,

Yes I have a site that uses the exact mechanism that you state.  As Jeff
said though, you should have an "auto-logout" feature.  I implemented this
as a cron job that runs every 30 minutes and checks each session for the
last time it has been accessed.  I'm sure there are other ways to
auto-logout - I thought doing it outside of mod_perl is a good idea just to
take some load off of it.

-Adi

Jeff Beard wrote:
>  
>  This is a question for comp.infosystems.www.authoring.cgi.
>  
>  But since I'm here...
>  
>  I would check for the cookie every time a request is made. If you use
>  Apache::Session there will be a separate session data store from the user
>  data. Which is probably what you really want. Apache::Session will allow
>  you to associate whatever data you like with the session id within it's own
>  schema.
>  
>  If the browser is closed, the cookie will remain. You can have a logout
>  feature but there will always be a significant percentage of users that
>  won't bother. So limit the life of the cookie with the time value and
>  periodically cull stale sessions on the server.
>  
>  --Jeff
>  
>  At 05:21 PM 4/19/00, Differentiated Software Solutions Pvt. Ltd. wrote:
>  >Hi,
>  >
>  >My question is much more basic than that. I wanted to validate my design
>  >ideas on a programmatic security.
>  >I would like somebody to go through the following and tell me that I'm on
>  >the right track.
>  >
>  >The idea I had was, at the time of login, I generate the session id which I
>  >write to the cookie.
>  >I have also tied to this session_id the user's login profile.
>  >Every other screen checks for the cookie's existence and reads back the
>  >session_id and gets the user's profile. I hope I'm right till then.
>  >When the user signs out then we can delete the tied file.
>  >Now any person who has access to the same browser will still have to login
>  >to get to the inner pages.
>  >
>  >If the browser is killed without sign-out from the system, even then there's
>  >no problem.
>  >Next person who gets access to the browser and tries to access any inner
>  >page will not be able to, because the cookie with the session-id does not
>  >exist.
>  >
>  >Am I right ??? Please help.
>  >
>  >Thanks,
>  >
>  >Murali
>  >
Thread:
Differentiated Software Solutions Pvt. Ltd.
Manfred Dehnkamp
Gunther Birznieks
Jeff Beard
Jeff Beard
Adi

Privacy Policy | Email Opt-out | Feedback | Syndication
© ActiveState Software Inc. All rights reserved