Session Management with Mason

This Perl-based web helper and MySQL work together to let you quickly build a user registration system for your web site.
Logging In and Out

register.html automatically logs in a user. By this, we mean that it sets the value of $session{user_id} to a valid primary key for the Users table. When $session{user_id} is set, a user is said to be logged in; when it is undefined, the user is not.

Listing 6

Logging out a user, then, is as simple as undefining the value $session{user_id}. We do exactly this in Listing 6, logout.html. Once a user visits this page, he or she is no longer logged in. Note that the line

undef $session{user_id};

does not remove the user_id key from %session. Rather, it assigns the undefined value to $session{user_id}.

If a user fails to log out, then the session will remain active for as long as the session cookie exists. Cookies are normally assigned an expiration date when they are created, indicating the maximum date on which they should be transmitted to a server. If no expiration date is mentioned, the cookie should disappear when the user exits from the browser. Session cookies are normally set with the latter expiration date, forcing them to disappear when the user quits from the browser.

However, this doesn't mean that users can ignore the “logout” button. On the contrary, someone who fails to log out is effectively saying that any HTTP requests originating from a particular computer should be attributed to his or her user name. In a typical office, where everyone has their own computer, this might not be a serious issue. However, a student in a recent class I taught told me that she was able to read someone else's e-mail at an Internet cafe, because Yahoo! Mail had failed to log out the previous user.

If the information is particularly sensitive, you might want to force users to re-register every 15 or 30 minutes. Simply set the cookie expiration date and time to be something in the very near future, and the cookies will expire automatically.

Logging in is slightly more complicated, in that we must ask the user for a user name and password. These pieces of information, supplied from login-form.html (listing 7), are passed to the login.html component (listing 8). login.html performs two tasks: it submits a SELECT query to the database, requesting the user_id column for the submitted user name and password. If no such row exists, $sth->fetchrow_array returns undef, and we thus know that the user does not exist. If it does exist, then we retrieve all the relevant information about this user into a hash reference and set $session{user_id} to the newly rediscovered user ID. This restores the session information to the user's browser, which sets it in a cookie (or path_info, as appropriate).

Listing 7

Listing 8

While there is no room to discuss it here, it would obviously not be very difficult to create a “password-remind.html” component which allows users to retrieve their password using the hint they entered in the initial registration form.

Of course, personalized sites are rather uninteresting if they store only the user's name and e-mail address. Things get much more interesting if the site keeps track of users' interests, birthdays and stock portfolios. But once we have a unique ID that represents this user—the user_id column in Users—we can create as many tables as we like, identifying each user with their primary key.


Session management can be a tricky subject when working with the Web, since it means using a stateless connection for something it was never intended to do. With the help of Mason and Apache::Session, it is not difficult to develop a personalized site which keeps track of users' interests and customizes the site's output accordingly.


Reuven M. Lerner , an Internet and Web consultant, moved to Modi'in, Israel following his November marriage to Shira Friedman-Lerner. His book Core Perl will be published by Prentice-Hall in the spring. Reuven can be reached at The ATF home page, including archives, source code and discussion forums, is at