[Catalyst] Session ID Strategies

[Dan Boger]

On Thu, Oct 13, 2005 at 02:42:31PM -0700, Bill Moseley wrote:
> I do have a question about the module, though.  I'm using it with
> Catalyst::Plugin::Authentication::CDBI. An "expire" is set time on the
> cookie (and on the FastMmap cache).  I'm wondering if the cookie
> should not have an expire so it will go away when the client exits.
> Some people expect a logout if they close their browser.
> 
> Then use a separate cookie to store userid to remember the user (but
> require a re-login if needed).

Why use two cookies?  Use one cookie (set not to expire), keeping track
of the sessionid.  Then, on the server, have that session associated
with a username, login time, last visit time, and last authenticated
time.

When you want to do something that you need to make sure the user is
actually there, check how long it's been since the last authentication
time.  If it's been too long, display the password prompt.

I think this is similar to how amazon.com works - you stay logged in,
but when you actually try to order (or access your account), they
re-authenticate you.

Or am I missing something?

Dan

--