At 05:36 PM 4/20/00, Differentiated Software Solutions Pvt. Ltd. wrote:
>a) [...] then do we have a
>security hole? Is not the user assuming that by killing the browser we are
>exiting the system !!
Yes there is a security risk. HTTP is an insecure protocol. You can use the
ideas that have been thrown out here to do your part in making it more
secure but the other part is the user's responsibility. All you can do is
inform them of the risks and eschew responsibility for how they use the system.
>b) Does all this mean that functionally, Apache::Session is a random number
>generator with ability to store data and retrieve data associated with these
>random numbers. Is this all that it does ??
Basically.
>c) Most importantly for our application, We've written all the programs in
>perl/CGI (not mod_perl). I've now realised my folly in not starting off with
>mod_perl.... but the deed is done. Can I use Apache::Session or any of these
>modules under plain vanilla CGI. Will this work ??
You could remove the session management from the CGI and put it in a
handler. You can also use Apache::Registry to run your CGIs. From a
performance standpoint, this would be preferable. You just have to be more
disciplined in the way you code.
And yes, Apache::Session works under regular CGI.
--Jeff
Jeff Beard
_______________________________
Web: www.cyberxape.com
Phone: 303.443.9339
Location: Boulder, CO, USA
