I ended up using CGI::Session.. The access is all via 128 Verisign cert.. so no probs there..
CGI::Session also has an "ip check" feature you can turn on to make sure a login ID has the same IP each time. It also allows me to "expire" a session if its not been used for 15 minutes.. It does alot of other cool stuff.. including the storage of anything you want in the session data.. so you can save data between itinerations of the script.. (I'll eventually move to mod_perl, but for now this will be fine.. its all taint mode, using strict and warnings reporting no errors etc.. so mod_perl should be easy to swap to later.) Also if you use CGI::Session with MySQL, you get the added benefit of the db username/password. (The default mode of CGI::Session is to save state info into a session file in a tmp dir somewhere..) Its a very useful module.. together with CGI::Application and HTML::Template they are my favorite modules.. Till I find a better one.. (I change favorites alot while searching CPAN :-) rgds franki -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Weaver Sent: Wednesday, 18 December 2002 3:23 AM To: [EMAIL PROTECTED] Subject: Re: [expert] CGI session management. Franki wrote: > Hi Guys, > > I have to setup an online database of our clients details so they can log in > and see all their latest transactions and stuff... > > > I have written most of the app already using perl with CGI::Application and > HTML::Template (and of course DBI..) > > However, one thing concerns me.. session management.. I could use > CGI::Session to do the job, (previously, for non secret stuff, I have just > set a cookie and used that to validate login.. but cookies are not secure > enough for this applicaion.) > > After much reading and searching, I found it said many times that session > management was best done by the web server not the application... > > can anyone extrapolate on that? Is there a cross platform way of doing > it??? something I could move over to one of our other servers.. (maybe even > the one IIS box we have..) > > or should I just use CGI::Session with MySQL lookups to do it??? > > In the same vein, can .htaccess files be setup to use MySQL tables to > validate users??? > > > Any tips would be much appreciated. > > > > regards > > Frank Frank, I've been looking at this a lot lately as well for some of the same reasons and applications. One of the things I'm seeing pop up quite often is the use of .htaccess files for authentication with a bit of encryption for good measure. You might also include a small routine in your main PERL script to allow for user authentication storing the values in a table which is readable only by authentic users knowing their login. You could then use SSL connection between the CGI and the database for sending the username/password pairs over an unsecure line. I've been using a variation of this scheme to accomodate lower security needs where authentication is required for access points to an online application and it works out nicely for all involved. Of course the authentication routines have to be at the forefront of the entire application and nothing else may proceed unless the user is properly authenticated making the PERL program accessible only in a very small part. If there is no "good" value pair stored inside the program, which should be wiped out at session end, then any and all commands passed to the program are outrightly rejected by the program. Mark
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
