[Catalyst] Session ID Strategies

Dan Boger perl at peeron.com
Fri Oct 14 01:09:20 CEST 2005


On Thu, Oct 13, 2005 at 02:42:31PM -0700, Bill Moseley wrote:
> I do have a question about the module, though.  I'm using it with
> Catalyst::Plugin::Authentication::CDBI. An "expire" is set time on the
> cookie (and on the FastMmap cache).  I'm wondering if the cookie
> should not have an expire so it will go away when the client exits.
> Some people expect a logout if they close their browser.
> 
> Then use a separate cookie to store userid to remember the user (but
> require a re-login if needed).

Why use two cookies?  Use one cookie (set not to expire), keeping track
of the sessionid.  Then, on the server, have that session associated
with a username, login time, last visit time, and last authenticated
time.

When you want to do something that you need to make sure the user is
actually there, check how long it's been since the last authentication
time.  If it's been too long, display the password prompt.

I think this is similar to how amazon.com works - you stay logged in,
but when you actually try to order (or access your account), they
re-authenticate you.

Or am I missing something?

Dan

-- 



More information about the Catalyst mailing list