[cgiapp] enciphered-cookie-only sessions

[Michael Peters]

Ricardo SIGNES wrote:

> It's a Catalyst plugin that stores your whole session in the cookie.  It's
> stored as a base64-encoded, Rijndael-enciphered, JSON-encoded string. 

Krang does this as well and I've used it on lots of other projects too. But, I
think that's a little overkill. I just use a URL encoded JSON cookie. I don't
put anything sensitive in there. I usually use this in conjunction with a normal
session cookie. So the sensitive stuff goes into the server side session and the
non-sensitive stuff in the client side session.

The nice thing about putting things into the cookie in an easy to read JSON
format is that my client side AJAX/Javascript code can use it too. For instance,
Krang has a user preference to determine how long you want the messages that
slide-in to remain visible. With this stored in this JSON cookie we can access
that from the Javascript, since that's what creates the slide-in messages in the
first place.

> This
> seemed like a swell idea for me, since:
> 
>   a. I'm tired of session files cluttering things up.
>   b. I don't feel like creating a session db.
>   c. My session contents are tiny.

The reason I use 2 session cookies (one just the key to the server side session
and the other a JSON cookie) is mainly because of (c). Cookie size is limited
and I can't guarantee that some people's sessions won't get really big.

> I threw together a quick implementation last night, just for Rubric, and I've
> already replaced my use of CAP::Session with it.  I'll refactor it for use as a
> real plugin later this week, probably.
> 
>   http://git.codesimply.com/?p=Rubric;a=blob;f=lib/Rubric/WebApp/Session.pm;h=3c5f79623f02268a0512487d62e976c7fc0b47aa;hb=HEAD

I've been meaning to add something like this to CGI::Application::Plugin::JSON,
but haven't gotten around to it yet.

-- 
Michael Peters
Plus Three, LP