[Catalyst] Announcement - New session plugins
Perrin Harkins
perrin at elem.com
Tue Nov 8 15:32:24 CET 2005
Bill Moseley wrote:
> Right. And it varies by application when you need to know. Some
> applications need a session for every request, so the first request
> without a valid session from the client would need to set the cookie,
> redirect to a special cookie-checking url which would either report
> cookies are required if not found, or do a second redirect back to the
> original request if the cookie is found. I don't really see a way
> around the double redirect.
The way I've seen it done is to use both cookies and URL rewriting on
the first request, and then just turn off URL rewriting on the second
request if a cookie is found.
Agreed about cookie expiration: you have to write your code with the
assumption that no one will ever delete cookies, even if you tell them
to. Don't trust the client.
> - I may expire sessions in two hours, but if there's 5 or 10 minutes
> of inactivity then I require a re-login to access more secure parts
> of the site (like an admin area). So the session needs to track the
> time between requests and set a flag when exceeds a setting.
That one is a little painful, since it means updating the session on
every request, rather than being able to lazy-load it and only save when
changing something. Applications that don't require that level of
security would probably rather not take the hit.
- Perrin
More information about the Catalyst
mailing list