Ok, I've never developed a sessioning system from scratch, so I have some
questions. This is what I am doing, and I want to know if anyone sees any
problems:
User Database:
1.> db_name
2.> user_name
3.> encrypted_password
3.> email_address
4.> permissions
Sessions Database:
1. Session_key
2. ip_address (REMOTE_ADDR)
3. user_name
4. browser string (HTTP_USER_AGENT)
5. expires (+20m)
6. permissions, db_name, etc.
Process:
1.> Check for session
<SESSION EXISTS>
Is cgi->param( username ) defined?
<YES, USER LOGGING-IN AGAIN -> Jump 'Create New Session'>
else Is there a session_key available?
<YES!>
Is there a matching db_record with the same ip_addr (REMOTE_ADDR)?
<YES>
Has this session expired?
<NO>
Does user_name_cookie and UserAgent string match the record?
<YES>
Is the record for the current db_name?
<YES>
return permissions
If any test fails, try 'Create New Session'
2.> Create New Session
Does cgi->param( user_name ) match a user_db record?
<YES>
Does the encrypted version of cgi->param( password ) match record?
<YES>
create session, set cookie, return permissions
<NO>
return 'PWD_NO_MATCH' error
<NO>
Create an anonymous user record, set cookie, return low-privileges
Any failures return a warning, error, or undef, depending on severity.
Does this look right?
Any help is appreciated,
Grant M.
