D
David Frauzel
I'm writing a rough draft of a suite of small Perl apps that will,
combined, serve as a web site's user sign-up, login, management, and
customized content engine.
I'm having trouble with the concept of one particular part of the
"application" (as it were) - session tracking. Perl itself is handling
user authentication (since I've no idea how Perl could "ask" the server
who just authenticated to htaccess), so the login script will have an
idea for who is "logged in" - but the nature of the web being
connectionless, scripts any further down the line will not have this same
information.
Hence, the idea of a session - I need to store some kind of information
somewhere (in a MySQL database, in this case) that I can reference, any
time that same user clicks another link, so that:
A) The user doesn't have to continually re-authenticate, of course, and,
B) Any pages (scripts) the user visits which deliver content specific to
that user will actually know who the user is.
I have an inkling of how some pages on the web already do this. They
might,
1) Identify the remote host by IP address ("user Joe is logged on at IP
x.x.x.x"). This approach doesn't seem very realistic, though, since
proxies / NAT can make the meaning of "IP address" ambiguous.
2) Assign a session ID (some arbitrary number) to the client, and store
it as a cookie on the client's machine. Unfortunately, not everyone
accepts cookies.
3) Mangle (via script) all URLs on any page the client visits, so that
they include a parameter including a session ID.
In any of these cases, a sessions table (in my db) would cross-reference
the key (IP address / session ID / whatever) with the user id, idle time,
etc., so that any Perl script will always be able to tell "who" is
talking to it.
These are just ideas I imagined - I haven't done any research. (Well,
this is my research.) I don't like (1) or (2) very much, and (3) seems
like a lot of overhead (and URLs that aren't very pretty to look at).
Could anyone give me feedback on other methods I'm not thinking of? Or if
any of the three above really is the de facto standard?
Thanks in advance.
combined, serve as a web site's user sign-up, login, management, and
customized content engine.
I'm having trouble with the concept of one particular part of the
"application" (as it were) - session tracking. Perl itself is handling
user authentication (since I've no idea how Perl could "ask" the server
who just authenticated to htaccess), so the login script will have an
idea for who is "logged in" - but the nature of the web being
connectionless, scripts any further down the line will not have this same
information.
Hence, the idea of a session - I need to store some kind of information
somewhere (in a MySQL database, in this case) that I can reference, any
time that same user clicks another link, so that:
A) The user doesn't have to continually re-authenticate, of course, and,
B) Any pages (scripts) the user visits which deliver content specific to
that user will actually know who the user is.
I have an inkling of how some pages on the web already do this. They
might,
1) Identify the remote host by IP address ("user Joe is logged on at IP
x.x.x.x"). This approach doesn't seem very realistic, though, since
proxies / NAT can make the meaning of "IP address" ambiguous.
2) Assign a session ID (some arbitrary number) to the client, and store
it as a cookie on the client's machine. Unfortunately, not everyone
accepts cookies.
3) Mangle (via script) all URLs on any page the client visits, so that
they include a parameter including a session ID.
In any of these cases, a sessions table (in my db) would cross-reference
the key (IP address / session ID / whatever) with the user id, idle time,
etc., so that any Perl script will always be able to tell "who" is
talking to it.
These are just ideas I imagined - I haven't done any research. (Well,
this is my research.) I don't like (1) or (2) very much, and (3) seems
like a lot of overhead (and URLs that aren't very pretty to look at).
Could anyone give me feedback on other methods I'm not thinking of? Or if
any of the three above really is the de facto standard?
Thanks in advance.