session and cookies

[ibjdt]

i am working on a login system with session ID and cookies, but i have hit a snag - i think with the logout code (below).

the login form accesses the script that shows a success page with 2 links - logout and test.

the logout is supposed to clear and delete the session, expires the cookie and redirect to the login form - i'm not sure the cookie part is correct.

here's the snag -
if i logout, the session file is deleted and i am redirected to the login form, but if i use the browser back button and click the test link it still uses the previous session ID. i want it to give an 'expired' message and link to the login form.

thanks for the help.

#!/usr/bin/perl
use CGI::Session;
use CGI;
$cgi = new CGI;
$action = $cgi->param('action');
$sid = $cgi->cookie('CGISESSID') || $cgi->param('CGISESSID') || undef;

# LOGOUT
if ($action eq 'logout')
{
	$cookie = $cgi->cookie(-name => "CGISESSID");
	if ($cookie)
	{
		CGI::Session->name($cookie);
	}
	$session = new CGI::Session(undef,$cookie,{'Directory'=>'tmp/sessions'}) or die "$!";
	$session->clear();
	$session->expire('+2h');
# Remove the session cookie
	print "Set-Cookie: session=$id; domain=.$host; path=/; expires=Sat, 8-Oct-2001 01:01:01 GMT\n";
	$session->delete();
	print $cgi->redirect("[URL unfurl="true"]http://www.domain.com/form.html");[/URL]
}


# TEST PAGE
elsif ($action eq 'test')
{
	print $cgi->header();
$cookie = $cgi->cookie(-name => "CGISESSID");
    if ( !$cookie ) {
        print "Your session expired. Please refresh your browser to re-start your session";
    }
else { print "hello s - $sid"; }
}

.....

 

[audiopro]

Do your visitors log in via stored usernames and passwords or is this just to prevent them submitting multiple, identical data?

Keith

http://www.studiosoft.co.uk

 

[ibjdt]

the usernames and passwords are stored along with a crypted version of the password in a DB.

user::pass::crypted_pass

by 'multiple, identical data' are you referring to the login username and password??
i hadn't thought about it, but it really doesn't matter - 2 logins could occur at the same time for the same account.

here's some background
========================
the program is for a shopping cart situation where product and price listings change depending on the customer

customer1
product x
price 10 each

customer 2
product x
price 10 each for 10 or more - 20 each for 0-10

customer 3
-doesn't get to see product x-

i haven't found any canned cart scripts that meet my needs so i am trying it myself.

my plan was to create a session cookie and file.
in the cookie i only store the session ID.
in the session file i store the crypted password that will tell me throughout the site which info to display.

when users select items for the cart another file is created to hold prod_id/quantity/price

i am new to session and cookie and have frankly been struggling with the concept and application of them.
i have checked out the cpan tutorial and it helped some, but a lot of the info there doesn't work by just cutting and pasting.

thanks again.

 

[travs69]

I know there probably is something you can do if someone hits the back button.. but will it really affect anything? If you are constantly checking for the session on each page load .. if they try and do anything the next time they click on a submit button (or whatever) and you script checks for it then it will bounce them to a login/pass page (assuming that's what you do if no session id or an invalid/expired session id is passed). The back button basically is using a cached copy.. not reloading you script. You can put some no cache meta tags in to help out also but I never rely on browsers 100%

 

[audiopro]

I had an app. a while back where certain people in a logged in environment would submit the same new file multiple times, by hitting the 'BACK' and resending the form. They were not being malicious, they looked on it as a quick way to correct typos. I added a time var into the URL and put that var into a field on the user's account record each time they submitted a form. When a form is submitted, check the var in the DB against the var in the URL.
This var can also be used to tell when they last logged in but that is just statistical geekyness.

Keith

http://www.studiosoft.co.uk

 

[ibjdt]

thanks for the help.

travs69
the back button does use a cached version of that page, but the problem is:

as a test i login
*session file is created and a cookie
*i click logout and the session files is deleted - i can confirm that - and i am bounced to the login form
*i click back to the login success page and click the test link
*it's supposed to not find the cookie and bounce to the login form
*but it somehow finds the cookie of the previous session and shows me the success text.

i'm guessing the cookie clear portion of the logout part of my script isn't right.

an example is tek-tips. if you login and browse through some forums then logout, you can go back and still click through forum entries, but if you try to submit a new thread your are bounced.



audiopro
i may have to do it your way, but we shouldn't have to. there has to be a way to delete the cookie and check for that.

thanks.

 

[travs69]

Are you only checking if the cookie exists or are you also checking if the session still valid?