I really wish the developer(s) would not write in their READMEs in such a manner that it might be taken to mean that it requires mod_perl (darn, that was a labored sentence I just wrote).I recently chose to use CGI::Session over Apache::Session precisely because it said something early on in the README about Apache::Session wanting or needing mod_perl
Does anyone know of someplace where there is a side by side comparisons of these various modules and their relative advantages/disadvantages? - if not - I would be willing to accept contributed documents and set up a page with this info....
one thing about sessions security that has been of concern to me since I read the OWASP 10 most critical web application security vulnerabilities that I'm not sure I fully understand is that with cookies or querystring sessionIDs its possible to spoof the session ID (by a lucky guess/brute force or eavesdrop) and hijack a session - they say one way to deal with this is to check the IP address of where your session user is and if it changes mid session -- I'm wondering if you run https are cookies still vulnerable or are they at least as protected as SSL makes them? also, do any of the Perl session modules have built in handlers for this - not that its such a pain to write a routine to do this-- just that if sessions are know to be vulnerable to spoofing - a "good" package for sessions would have some methods built in for these sorts of checks.
Jeff Kolber
[EMAIL PROTECTED]
