Apache Session Management Within Dynamic Sites Page 3

By Martin Brown (Send Email)
Posted Mar 2, 2006


Creating a Unique ID

A critical step in making use of sessions is to create a session ID unique enough to singularly identify the session. There are many ways of doing this, the most obvious is in a dynamic environment using the unique sequence ID generated by a database (which is particularly useful if you are storing the session in the DB, anyway). There are also solutions that are not too reliable:

  • Current Time — even if you use an accuracy level of seconds or hundredths of a second, it is still possible for two users to connect at the same time and create the same ID.
  • Host IP Address or Name — IP addresses and names are sometimes shared, especially if the user is connecting through an ISP or firewall.
  • Random Numbers — a single random number is not as random as you would expect. Just as tossing a coin three times will produce at least two results that are the same, even large random numbers can occur multiple times on a server, especially a busy one.

There are many solutions to these problems, and most of them rely on combining information from each of the sources above to produce a unique string. For example, the following code (in Perl):

my $uniqueid = sprintf("%02d%04d%02d-%02d%02d%04d-%d%d%d",
                $sec,rand(9999),$hour,$month,$min,rand(9999),rand(9999),$mday,$year);

relies on a combination of three random numbers and date/time components. Thus, the chances of duplicating the string is significantly reduced, although it is still theoretically possible to generate the same ID based on this process.

For more extensive solutions, we can use generated hashes (based on the same principles, but using a wider range of source data) or even longer, hexadecimal, or alphabetical IDs.

Session Control Within Perl

With Perl, we have limitless choices about how to implement a session system, but there are some standard modules you can use that make the process significantly easier. The primary of these is the CGI module that provides a simple interface for reading and writing cookie data as part of the CGI processing. You may already be using CGI in your scripts, so adapting them to include cookies is quite easy.

For storing information that relates to a particular session ID we can use the Apache::Session module that interfaces either to a database or file to read and store information against our session ID.

Using Cookies

Using cookies within Perl is simplified by using the CGI module because it provides a function to create a cookie and write the cookie data out as part of the HTTP header, something you would do with the CGI module anyway.

To create a cookie with the CGI module, use the cookie() function to create the cookie string. The format of the function is as follows:

 $cookie = $query->cookie(-name=>'sessionID',
      -value=>'262177',
      -expires=>'+1h',
      -path=>'/cgi-bin/',
      -domain=>'.mcslp.com')

The parameters should be self-explanatory; set the name of the cookie, its value and the expiry, domain, and path information where the cookie will be valid. The resulting value is actually a string, and it must be supplied to the browser as part of the HTTP headers:

 print $query->header(-cookie=>$cookie);

Now we have the session ID. Next up, a way of associating data to the ID to support the dynamic elements of a Web site.

>> Combining Apache::Session and CGI

Page 3 of 4


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.