Changing from expiring cookies to session cookies.

Posted on 2004-10-14
Medium Priority
Last Modified: 2010-03-05
Here is my question. I have a website that has approximately 400 current users. Currently we use a cookie to store username and encrypted password information in the cookies that are stored on the users computers. Right now the cookies are set to expire in a year. Here is the code that sets the cookie when the user logs on to the website. The name is not specified, so the cookie name that is created is our web address.

unless($deposit ne "" && $cgi->param('go')) {
      if(!$formlogin) {
      print $cgi->header;
      } else {
      print "Content-type: text/html\n";
      $password2 = &Encrypt($password,$encryptkey,asdfhzxcvnmpoiyk);
      print "Set-Cookie: username=$username; path=/; expires=$cookie_expire_date\n";
      print "Set-Cookie: password=$password2; path=/;\n";
      print "Set-Cookie: bsignedup=$username; path=/; expires=$cookie_expire_date\n\n";

Here is the code that checks to see if a user cookie exists. This is used on different parts of the website for users to access it without having to logon all the time:

sub get_cookies {
@nvpairs=split(/; /, $ENV{'HTTP_COOKIE'});
foreach $pair (@nvpairs) {
($name, $value) = split(/=/, $pair);
$cookie{$name} = $value;

The problem that we are running into is when we delete an account of a user that we no longer want on our website, they can access certain information that we don't want them to see because their cookie doesn’t expire for the next year. What I want to do is to create a session cookie when they logon to the site that is active during their browser session and then expires when the session is closed. I know that I can create a session cookie with the above logon code by deleting the expire date. What I want to do is still use the Sub routine get_cookies to check and see if the user is logged on or not. Is there a way to name the session cookie in the logon code and then check for the name in the get_cookies sub routine to see if the user is logged on or not? I have tried numerous times to name the cookie with no luck. This would be the quickest way to fix this problem for our website because the get_cookies  sub routine is already in use on most of our website. The less that I have to change, the faster I can get this up and running. Time is off the essence and I am willing to award max points for a quick resolution to this issue. Thanks in advance for anyone that helps me with this issue.

T. Bryan
Question by:jahmekyat
LVL 48

Accepted Solution

Tintin earned 672 total points
ID: 12312410
Why not just change the get_cookies (BTW, you are using the CGI module, so why hand code your own cookie routines?) to check if the user's account exists and if it doesn't, simply delete the cookie and deny the user access.

Author Comment

ID: 12313904
Hi Tintin,
Could you elaborate a little further on how I would do this with my existing code? I inherited this website that is entirely written in CGI and I am an ASP and JSP programmer. I have been making changes on it for about the past 4 months or so when I started working for my friends company. We really want to use session cookies instead of ones that are set on the users computer and expire at a later date. I don't really want to tear apart the website and changes a bunch of stuff. I know that my set cookie method works when I remove the expire date from the method as a session cookie. Can I actually name a session cookie when it is set? If so, I am not familiar with the syntax of doing that. Is it done in the CGI header? That way, I would just have to use the get_cookies  sub routine to check and see if the session cookie with the name that I have specified in the set cookie routine is active in the users browser session. This would create the fastest way for us to lock down our site, which is what we are trying to do. We have so many users that we don't want on our site that can access information because of the old cookies that we just want to do this totally differently. So I guess what I would like to do is use the existing set cookie routine and name the cookie without an expiration date to make it die when the browser session is terminated, and then use the existing get_cookies  sub routine to make sure that they have an active session cookie in their browser session. My biggest problem is not knowing how to set the name of the cookie and then using the get_cookies  sub routine to check for the named session cookie. Any shot at this would be greatly appreciated.
Thanks again for all your help.

Assisted Solution

jimr100 earned 664 total points
ID: 12315907
Tintin's suggestion is a good one.  For one thing, if you go to solely session variables, you can't have a "Remember me" function.  Also, his suggested solution does not require large code changes.  What he is saying is that you should not simple accept the existence of a cookie as evidence that a logon is permitted.  You logic should be "if a cookie exists, I will take the username from that cookie, and look it up in the database.  If the username has a valid account associated with it, I will permit them access.  If the username does not have a valid account associated with it, I will deny them access, and I will wipe the cookie just so I don't even need to check next time this person shows up (though the cookie wiping isn't really needed strictly speaking)."

But, assuming that you do not want to do that, to more directly answer your question:  Why not just add another name/value pair to the current code.  So, in addition to setting username, password, and bsignedup, set 'new_logged_in' or whatever you want to call it, and then have sub get_cookies (or actually whatever comes subesequent to it) base it's logic on the new variable instead of the old one.  I note that sub get_cookies isn't really what is doing the validation -- it is just getting the cookie and splitting into name/value pairs.  If you want more input I think we need to see what is then done with those name/value pairs.

Hope this helps.
LVL 18

Assisted Solution

kandura earned 664 total points
ID: 12342961
I'd suggest using CGI::Session. It has methods to get and set cookies, and methods for dealing with expiration not only of the cookie, but of the session as a whole, and of individual session values as well. CGI::Session data is usually kept in temp files, but it can store it in a number of different backends (I personally prefer to use files, since cleaning stale sessions is easiest).

Let us know if you need more help with it.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Microsoft Windows, if  when you click or type the name of a .pl file, you get an error "is not recognized as an internal or external command, operable program or batch file", then this means you do not have the .pl file extension associated with …
Many time we need to work with multiple files all together. If its windows system then we can use some GUI based editor to accomplish our task. But what if you are on putty or have only CLI(Command Line Interface) as an option to  edit your files. I…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Six Sigma Control Plans
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question