CGI::Session creates a session even if I don't want it to 
Author Message
 CGI::Session creates a session even if I don't want it to

Hi,

I am using CGI::Session to keep state between page requests.
Because I don't want to use cookies and certainly don't want to use hidden
fields, I put the session id in the url.

I have implemented an explicit logout function which calls
   CGI::Session->delete()

However, if the user presses the 'back' button in the browser, some URL's
with the (now deleted) session are available again.

When the user activates such a link with an old session encoded in it, the
code tries to retreive the session. This should fail, because I've deleted
it. But CGI::Session automagically creates a new session for me. This seems
unwanted default behaviour to me.

Now I have to:
- compare the returned session id with the old id

- delete the session again if the two id's are different

If CGI::Session offered me a retreive_only_() method, I need not do above
extra lines.

Am I the first to notice? It seems others must have had the same problem. Or
is Apache::Session the better supported module?

Thanks for any hints,

~henq



Sun, 25 Sep 2005 05:34:42 GMT  
 CGI::Session creates a session even if I don't want it to

On Tue, 8 Apr 2003, it was written:

Quote:
> Hi,

> I am using CGI::Session to keep state between page requests.
> Because I don't want to use cookies and certainly don't want to use hidden
> fields, I put the session id in the url.

> I have implemented an explicit logout function which calls
>    CGI::Session->delete()

> However, if the user presses the 'back' button in the browser, some URL's
> with the (now deleted) session are available again.

> When the user activates such a link with an old session encoded in it, the
> code tries to retreive the session. This should fail, because I've deleted
> it. But CGI::Session automagically creates a new session for me. This seems
> unwanted default behaviour to me.

> Now I have to:
> - compare the returned session id with the old id

> - delete the session again if the two id's are different

> If CGI::Session offered me a retreive_only_() method, I need not do above
> extra lines.

> Am I the first to notice? It seems others must have had the same problem. Or
> is Apache::Session the better supported module?

> Thanks for any hints,

> ~henq

Hi,

What storage method are you using for the session, if you are storing the
data into a DB, they you can use the DBI to check if the session is a
valid. It is the easiest was round the problem.

Adam



Mon, 26 Sep 2005 06:34:08 GMT  
 
 [ 2 post ] 

 Relevant Pages 

1. Open a Session inside Session

2. Apache::Session::MySQL or Apache::Session::DBI

3. Wanted - front end for TELNET session

4. CGI.pm and CGI::Session problem

5. Help: Creating an FTP Session for WinNT ??

6. Perl to use and create PHP sessions?

7. creating unique session id w/ perl

8. can Perl create secure shell sessions?

9. Don't even read my post above

10. Child processes don't clean up (defunct processes left) even though SIGCHLD does wait()

 

 
Powered by phpBB® Forum Software