[cgiapp] Understanding sessions

Ron Savage ron at savage.net.au
Sun Feb 24 16:48:02 EST 2008 

Hi Brad

A brief and hence partial reply.

> I'm still trying to understand queries, sessions and cookies.

No problem.

> First, I have read the CAP::Session docs several times and my
> understanding is: (and correct me here):
> 
> 1) C::A does not naturally create a session unless there is an
> explicit reference to 'session', e.g., $self->session->param('userid')

Better the think in terms of CGI::Session. That's one module that
handles sessions. Apache::Session is another.

/If/ your CGI::App uses CGI::Session (or whatever), then you get access
to session handling.

> 2) sessions need cookies or id (that would have to be stored in a
> hidden input field to maintain state)

I don't use cookies myself.

Better to think of the id as the key which enables the session manager
to identify a new session created in the session store (e.g. disk) by
the session manager, and used by the session manager to find a
pre-existing session. This automatically means you have to give the key
to the session manager when you wish to retrieve a session's data.

> 3) unless explicitly set to false, a cookie is automatically created
> when a session is created
> 4) the parameters for that cookie are defaulted unless cookie
> parameters are explicited given
> 5) sessions are stored in /tmp on my server, but linked by id to a
> cookie or param that I pass back and forth to my page

The location will be configurable in the options you pass to the session
manager.

> 6) $self->query->param('userid') is not a session, and is only
> applicable for that instance, or until another header is sent to the
> browser

True, it's not a session. It's a key passed from the client's CGI form
back to your CGI::App which you must pass to the session manager to
retrieve any pre-existing session's data.

> 7) sessions are not deleted unless explicitly called:
> $self->session_delete, however cookies expire automatically

You probably meant $self -> session() -> delete(); there.

Both this and $self -> session() -> param('userid') above only work if
$self -> session() works, and that only works if a module, e.g.
CGI::Session via (say) CGI::Application::Plugin::Session, is used in
your CGI::App. The plugin automagically forces sub session() into your
app's namespace, so you can call it with $self -> session().

> Here's my challenge:
> I have an application built on C::A and HTML::Template that starts by
> displaying a login page when landing on the site, if they are not
> already logged in. Of course, when checking the login param, a session
> is created. If they never log in, that session is just left sitting in
> /tmp. My /tmp directory is filled with thousands of sessions that are
> not getting deleted.
> 
> Questions:
> 1. how can those unnecessary sessions be deleted?

Answered in my other post.

> 2. where are the actual session->params stored?

That depends on what parameters you passed when initializing
CGI::Session.

-- 
Ron Savage
ron at savage.net.au
http://savage.net.au/index.html

More information about the cgiapp mailing list