Solved

Changing from expiring cookies to session cookies.

Posted on 2004-10-14
6
272 Views
Last Modified: 2010-03-05
Hi,
Here is my question. I have a website that has approximately 400 current users. Currently we use a cookie to store username and encrypted password information in the cookies that are stored on the users computers. Right now the cookies are set to expire in a year. Here is the code that sets the cookie when the user logs on to the website. The name is not specified, so the cookie name that is created is our web address.

unless($deposit ne "" && $cgi->param('go')) {
      if(!$formlogin) {
      print $cgi->header;
      } else {
      print "Content-type: text/html\n";
      $password2 = &Encrypt($password,$encryptkey,asdfhzxcvnmpoiyk);
      print "Set-Cookie: username=$username; path=/; expires=$cookie_expire_date\n";
      print "Set-Cookie: password=$password2; path=/;\n";
      print "Set-Cookie: bsignedup=$username; path=/; expires=$cookie_expire_date\n\n";
      }
}

Here is the code that checks to see if a user cookie exists. This is used on different parts of the website for users to access it without having to logon all the time:

sub get_cookies {
@nvpairs=split(/; /, $ENV{'HTTP_COOKIE'});
foreach $pair (@nvpairs) {
($name, $value) = split(/=/, $pair);
$cookie{$name} = $value;
}
}

The problem that we are running into is when we delete an account of a user that we no longer want on our website, they can access certain information that we don't want them to see because their cookie doesn’t expire for the next year. What I want to do is to create a session cookie when they logon to the site that is active during their browser session and then expires when the session is closed. I know that I can create a session cookie with the above logon code by deleting the expire date. What I want to do is still use the Sub routine get_cookies to check and see if the user is logged on or not. Is there a way to name the session cookie in the logon code and then check for the name in the get_cookies sub routine to see if the user is logged on or not? I have tried numerous times to name the cookie with no luck. This would be the quickest way to fix this problem for our website because the get_cookies  sub routine is already in use on most of our website. The less that I have to change, the faster I can get this up and running. Time is off the essence and I am willing to award max points for a quick resolution to this issue. Thanks in advance for anyone that helps me with this issue.


T. Bryan
0
Comment
Question by:jahmekyat
6 Comments
 
LVL 48

Accepted Solution

by:
Tintin earned 168 total points
Comment Utility
Why not just change the get_cookies (BTW, you are using the CGI module, so why hand code your own cookie routines?) to check if the user's account exists and if it doesn't, simply delete the cookie and deny the user access.
0
 

Author Comment

by:jahmekyat
Comment Utility
Hi Tintin,
Could you elaborate a little further on how I would do this with my existing code? I inherited this website that is entirely written in CGI and I am an ASP and JSP programmer. I have been making changes on it for about the past 4 months or so when I started working for my friends company. We really want to use session cookies instead of ones that are set on the users computer and expire at a later date. I don't really want to tear apart the website and changes a bunch of stuff. I know that my set cookie method works when I remove the expire date from the method as a session cookie. Can I actually name a session cookie when it is set? If so, I am not familiar with the syntax of doing that. Is it done in the CGI header? That way, I would just have to use the get_cookies  sub routine to check and see if the session cookie with the name that I have specified in the set cookie routine is active in the users browser session. This would create the fastest way for us to lock down our site, which is what we are trying to do. We have so many users that we don't want on our site that can access information because of the old cookies that we just want to do this totally differently. So I guess what I would like to do is use the existing set cookie routine and name the cookie without an expiration date to make it die when the browser session is terminated, and then use the existing get_cookies  sub routine to make sure that they have an active session cookie in their browser session. My biggest problem is not knowing how to set the name of the cookie and then using the get_cookies  sub routine to check for the named session cookie. Any shot at this would be greatly appreciated.
Thanks again for all your help.
0
 

Assisted Solution

by:jimr100
jimr100 earned 166 total points
Comment Utility
Tintin's suggestion is a good one.  For one thing, if you go to solely session variables, you can't have a "Remember me" function.  Also, his suggested solution does not require large code changes.  What he is saying is that you should not simple accept the existence of a cookie as evidence that a logon is permitted.  You logic should be "if a cookie exists, I will take the username from that cookie, and look it up in the database.  If the username has a valid account associated with it, I will permit them access.  If the username does not have a valid account associated with it, I will deny them access, and I will wipe the cookie just so I don't even need to check next time this person shows up (though the cookie wiping isn't really needed strictly speaking)."

But, assuming that you do not want to do that, to more directly answer your question:  Why not just add another name/value pair to the current code.  So, in addition to setting username, password, and bsignedup, set 'new_logged_in' or whatever you want to call it, and then have sub get_cookies (or actually whatever comes subesequent to it) base it's logic on the new variable instead of the old one.  I note that sub get_cookies isn't really what is doing the validation -- it is just getting the cookie and splitting into name/value pairs.  If you want more input I think we need to see what is then done with those name/value pairs.

Hope this helps.
0
 
LVL 18

Assisted Solution

by:kandura
kandura earned 166 total points
Comment Utility
I'd suggest using CGI::Session. It has methods to get and set cookies, and methods for dealing with expiration not only of the cookie, but of the session as a whole, and of individual session values as well. CGI::Session data is usually kept in temp files, but it can store it in a number of different backends (I personally prefer to use files, since cleaning stale sessions is easiest).

Let us know if you need more help with it.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

There are many situations when we need to display the data in sorted order. For example: Student details by name or by rank or by total marks etc. If you are working on data driven based projects then you will use sorting techniques very frequently.…
In the distant past (last year) I hacked together a little toy that would allow a couple of Manager types to query, preview, and extract data from a number of MongoDB instances, to their tool of choice: Excel (http://dilbert.com/strips/comic/2007-08…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now