[Catalyst] Session ID Strategies

Bill Moseley moseley at hank.org
Fri Oct 14 04:06:02 CEST 2005


On Thu, Oct 13, 2005 at 07:09:20PM -0400, Dan Boger wrote:
> On Thu, Oct 13, 2005 at 02:42:31PM -0700, Bill Moseley wrote:
> > I do have a question about the module, though.  I'm using it with
> > Catalyst::Plugin::Authentication::CDBI. An "expire" is set time on the
> > cookie (and on the FastMmap cache).  I'm wondering if the cookie
> > should not have an expire so it will go away when the client exits.
> > Some people expect a logout if they close their browser.
> > 
> > Then use a separate cookie to store userid to remember the user (but
> > require a re-login if needed).
> 
> Why use two cookies?  Use one cookie (set not to expire), keeping track
> of the sessionid.  Then, on the server, have that session associated
> with a username, login time, last visit time, and last authenticated
> time.

A separate session cookie is useful in situations where more than one
person might share the computer and you want it to "log off" when they
shut down the browser.  The session cookie should vanish when the
browser is shut down, killing the session.

Then a persistent cookie can then be used to remember the user.  The
user can decide if they want to be remembered between visits.  Look at
the login for Slashdot -- and there's a check mark for "public
terminal" -- which I assume controls the sending of the persistent
cookie.


> When you want to do something that you need to make sure the user is
> actually there, check how long it's been since the last authentication
> time.  If it's been too long, display the password prompt.

Yes, I do that, too.

-- 
Bill Moseley
moseley at hank.org




More information about the Catalyst mailing list