You are viewing a plain text version of this content. The canonical link for it is here.

Posted to embperl@perl.apache.org by Nate Smith <na...@thebackrow.net> on 2002/02/14 21:44:51 UTC

%udat + session killing

Hi,
   I have a question regarding session management.  I have built
a framework to manage users and groups of users's access to
various intranet tools they use.  When they login and are
authenticated embperl sends them a cookie with nothing but the
id associated with %udat.  I use mysql+semaphore for udat
session storage, and it works well enough; but I would like
some way to force a user to logoff -- everytime they request
a new page they are denied access if they dont' have the cookie
that udat gave them, or udat has deleted their session information.
I have found though, that if i delete their session row from
mysql, it just sends them another cookie and allows them to continue 
their session as if nothing has changed but their %udat{_sessions_id}.

Is there a way to "pull the session out from under them" so to speak?

Thanks,

Nate Smith

using embperl 1.3.3 with apache 1.3.22 on debian (woody) linux
with mysql 3.23.47 


---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org

Re: %udat + session killing

Posted by Gerald Richter <ri...@ecos.de>.

>
> I'm not quite clear on how this should work.  To restate my problem,
> I have a form that an administrator can submit to kill a logged in
> user, i.e., someone *else's* session.  tied returns a ref to
> the object that %udat was tied to, but I still need a way of specifying
> which session I want to kill.  This isn't a problem, as I use
> mysql for my session storage, and have another table that associates
> that session with a particular user.  Given just the session id
> created by embperl, how can I kill that session?
>

Aah, I see. I had misunderstood your problem....

I think the aproach you tried was right. Just delete the record with session
id from the database. When the user next time comes in he gets a new session
id and %udat will be empty. So you just set something like $udat{login} = 1,
when the session is delete and the user comes again, $udat{login} will be
undef.

Does this work for you or did I miss again something?

Gerald


-------------------------------------------------------------
Gerald Richter    ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de         Voice:    +49 6133 925131
WWW:        http://www.ecos.de      Fax:      +49 6133 925152
-------------------------------------------------------------




---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org

Re: %udat + session killing

Posted by Nate Smith <na...@thebackrow.net>.

On Sat, Feb 16, 2002 at 05:08:28PM +0100, Gerald Richter wrote:
> > I have found though, that if i delete their session row from
> > mysql, it just sends them another cookie and allows them to continue 
> > their session as if nothing has changed but their %udat{_sessions_id}.
> 
> You should use 
> 
> tied(%udat) -> delete ;
> 
> to delete the session. This cause Embperl to _not_ send a new cookie

I'm not quite clear on how this should work.  To restate my problem, 
I have a form that an administrator can submit to kill a logged in 
user, i.e., someone *else's* session.  tied returns a ref to 
the object that %udat was tied to, but I still need a way of specifying
which session I want to kill.  This isn't a problem, as I use
mysql for my session storage, and have another table that associates
that session with a particular user.  Given just the session id
created by embperl, how can I kill that session?

Thanks,

Nate Smith

---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org

Re: %udat + session killing

Posted by Gerald Richter <ri...@ecos.de>.

> I have found though, that if i delete their session row from
> mysql, it just sends them another cookie and allows them to continue 
> their session as if nothing has changed but their %udat{_sessions_id}.
> 

You should use 

tied(%udat) -> delete ;

to delete the session. This cause Embperl to _not_ send a new cookie

Gerald



-------------------------------------------------------------
Gerald Richter    ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de         Voice:    +49 6133 925131
WWW:        http://www.ecos.de      Fax:      +49 6133 925152
-------------------------------------------------------------


---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org