What I'm doing is this:
Using DBI to store info for Apache::Session w/ cookies. I'm using MySQL and
added an additional field to the sessions table that contains a timestamp.
A couple of fields stored in session data are username and crypted passwd...
it's checked at critical points of the application.
As a user runs through the site, $session_args{heartbeat}++ is called for
each page. This makes sure the timestamp on the row in the db is updated.
I have a cron that runs and checks to make sure the session isn't stale by
checking timestamp (ie if it's 30 minutes old then the user has "timed
out"). If the session is too old, I just delete the record. I could get
fancier and unset the auth information, but I haven't done this yet.
Anyways.. the next time the client hits the app and requests session 'X',
the server returns a nice little error message.
BTW.. if anyone sees any flaws in this system (security wise), please let me
know.
Ian
