Re: Re: Mainting State On IIS 4 Without Cookies/Hidden Fields
This may seem like a simple task for those of us whom have some hands on experience
with Perl but, when I was starting out I couldn't ever get the cookie bit going. There
are lots of tutorials this is true. None however give simple step by step instruction
on creating, retrieving and deleting the things. How many of you out there have
successfully used cookies?
-Original Message-
From: "Curtis Poe"<[EMAIL PROTECTED]>
To: "CGI Beginners"<[EMAIL PROTECTED]>
Date: Tue Jun 26 09:33:53 PDT 2001
Subject: Re: Mainting State On IIS 4 Without Cookies/Hidden Fields
>--- David Simcik <[EMAIL PROTECTED]> wrote:
>> Hi,
>> I'm looking for a way to maintain session-like state in my perl scripts
>> running on IIS. While I'm certain I've seen modules for this under Apache,
>> are there any equivalents under IIS? I certainly willing to look at
>> workarounds as well. :-)
>>
>> Thanks.
>> DTS
>
>Since HTTP is a stateless protocol, you're asking a question that has, unfortunately,
>plagued
>developers for years. If you're trying to maintain state in httpd sessions, you have
>a few
>options.
>
>Query strings and extra path information.
>
>I don't care for this method, as one is forced to try to reliably parse all links in
>documents.
>
>Cookies.
>
>This is the most reliable. It's easy to use and doesn't matter if the user leaves
>your site and
>returns later. However, if your Web site is dedicated to the premise that "BATF
>employees are
>bunch of jack-booted thugs", many of your users are probably concerned about privacy
>and have
>cookies disabled.
>
>Hidden fields.
>
>I like this method, but it only works across a series of form submissions. If the
>user leaves your
>site and returns later, state information is probably lost. One can use this with
>regular Web
>pages if Javascript is enabled and all hyperlinks are turned into form submissions,
>but this
>requires Javscript to be enabled.
>
>Regardless of the method used, you should probably be employing some form of
>generating a digest
>or random key for the session id. I prefer the idea of generating a digest with MD5
>or SHA1, since
>many people who try to generate a random key will do so on their own and not generate
>a key random
>enough. Unless you're a cryptography wiz (and I'm not), trying to "roll your own" is
>bad if you
>are really concerned about security.
>
>Ugh! I just read your subject. You want to do this *without* cookies or hidden
>fields. You'll
>have to go with the first option, which is ugly. The problem you're facing is that
>there is no
>reliable way to ensure that you're talking to the same person at any given time.
>(IP's can
>frequently change, even for the same person on the same session).
>
>If you're interesting in using user information to generate a digest, the following
>algorithm is
>listed in 'CGI Programming with Perl', second edition, by O'Reilly (how the heck do
>you properly
>attribute a book, anyway? I can never remember):
>
>use Digest::MD5;
>
>my $md5= new Digest::MD5;
>my $remote = $ENV{REMOTE_ADDR} . $ENV{REMOTE_PORT};
>my $id = $md5->md5_base64( time, $$, $remote );
>$id=~ tr|+/=|-_.|; # Make non-word characters URL-friendly
>
>Further, here's a quote from the book regarding this method:
>
>This does a good job of generating a unique key for each request. However, it is not
>intended to
>create keys that cannot be cracked. If you are generating sessions identifiers that
>provide access
>to sensitive data, then you should use a more sensitive method to generate an
>identifier.
>
>Cheers,
>Curtis Poe
>
>=
>Senior Programmer
>Onsite! Technology (http://www.onsitetech.com/)
>"Ovid" on http://www.perlmonks.org/
>
>__
>Do You Yahoo!?
>Get personalized email addresses from Yahoo! Mail
>http://personal.mail.yahoo.com/
/~_. _ | _ _ _ _
\_/|(_||| | |(_)| |
_|
___
GO.com Mail
Get Your Free, Private E-mail at http://mail.go.com
Re: Mainting State On IIS 4 Without Cookies/Hidden Fields
Curtis Poe wrote: > > listed in 'CGI Programming with Perl', second edition, by O'Reilly (how the heck do >you properly > attribute a book, anyway? I can never remember): you can't in an email, because the book title is supposed to be underlined. http://www.english.uiuc.edu/cws/wworkshop/bibliography/mla/mlamenu.htm is a good resource for this type of thing.
Re: Mainting State On IIS 4 Without Cookies/Hidden Fields
On Tue, 26 Jun 2001, David Simcik wrote: > I'm looking for a way to maintain session-like state in my perl scripts > running on IIS. While I'm certain I've seen modules for this under Apache, > are there any equivalents under IIS? I certainly willing to look at > workarounds as well. :-) If you are using ASP, there is a global Session object you can access (although it is nowhere as smart and cool as the Apache::Session stuff). Otherwise, you will probably need to implement something using DB_File or similar. -- Brett http://www.chapelperilous.net/btfwk/ Leibowitz's Rule: When hammering a nail, you will never hit your finger if you hold the hammer with both hands.
Re: Mainting State On IIS 4 Without Cookies/Hidden Fields
--- David Simcik <[EMAIL PROTECTED]> wrote:
> Hi,
> I'm looking for a way to maintain session-like state in my perl scripts
> running on IIS. While I'm certain I've seen modules for this under Apache,
> are there any equivalents under IIS? I certainly willing to look at
> workarounds as well. :-)
>
> Thanks.
> DTS
Since HTTP is a stateless protocol, you're asking a question that has, unfortunately,
plagued
developers for years. If you're trying to maintain state in httpd sessions, you have
a few
options.
Query strings and extra path information.
I don't care for this method, as one is forced to try to reliably parse all links in
documents.
Cookies.
This is the most reliable. It's easy to use and doesn't matter if the user leaves your
site and
returns later. However, if your Web site is dedicated to the premise that "BATF
employees are
bunch of jack-booted thugs", many of your users are probably concerned about privacy
and have
cookies disabled.
Hidden fields.
I like this method, but it only works across a series of form submissions. If the user
leaves your
site and returns later, state information is probably lost. One can use this with
regular Web
pages if Javascript is enabled and all hyperlinks are turned into form submissions,
but this
requires Javscript to be enabled.
Regardless of the method used, you should probably be employing some form of
generating a digest
or random key for the session id. I prefer the idea of generating a digest with MD5 or
SHA1, since
many people who try to generate a random key will do so on their own and not generate
a key random
enough. Unless you're a cryptography wiz (and I'm not), trying to "roll your own" is
bad if you
are really concerned about security.
Ugh! I just read your subject. You want to do this *without* cookies or hidden
fields. You'll
have to go with the first option, which is ugly. The problem you're facing is that
there is no
reliable way to ensure that you're talking to the same person at any given time.
(IP's can
frequently change, even for the same person on the same session).
If you're interesting in using user information to generate a digest, the following
algorithm is
listed in 'CGI Programming with Perl', second edition, by O'Reilly (how the heck do
you properly
attribute a book, anyway? I can never remember):
use Digest::MD5;
my $md5= new Digest::MD5;
my $remote = $ENV{REMOTE_ADDR} . $ENV{REMOTE_PORT};
my $id = $md5->md5_base64( time, $$, $remote );
$id=~ tr|+/=|-_.|; # Make non-word characters URL-friendly
Further, here's a quote from the book regarding this method:
This does a good job of generating a unique key for each request. However, it is not
intended to
create keys that cannot be cracked. If you are generating sessions identifiers that
provide access
to sensitive data, then you should use a more sensitive method to generate an
identifier.
Cheers,
Curtis Poe
=
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
Mainting State On IIS 4 Without Cookies/Hidden Fields
Hi, I'm looking for a way to maintain session-like state in my perl scripts running on IIS. While I'm certain I've seen modules for this under Apache, are there any equivalents under IIS? I certainly willing to look at workarounds as well. :-) Thanks. DTS
