Session Management with Mason

This Perl-based web helper and MySQL work together to let you quickly build a user registration system for your web site.
Logging In and Out

register.html automatically logs in a user. By this, we mean that it sets the value of $session{user_id} to a valid primary key for the Users table. When $session{user_id} is set, a user is said to be logged in; when it is undefined, the user is not.

Listing 6

Logging out a user, then, is as simple as undefining the value $session{user_id}. We do exactly this in Listing 6, logout.html. Once a user visits this page, he or she is no longer logged in. Note that the line

undef $session{user_id};

does not remove the user_id key from %session. Rather, it assigns the undefined value to $session{user_id}.

If a user fails to log out, then the session will remain active for as long as the session cookie exists. Cookies are normally assigned an expiration date when they are created, indicating the maximum date on which they should be transmitted to a server. If no expiration date is mentioned, the cookie should disappear when the user exits from the browser. Session cookies are normally set with the latter expiration date, forcing them to disappear when the user quits from the browser.

However, this doesn't mean that users can ignore the “logout” button. On the contrary, someone who fails to log out is effectively saying that any HTTP requests originating from a particular computer should be attributed to his or her user name. In a typical office, where everyone has their own computer, this might not be a serious issue. However, a student in a recent class I taught told me that she was able to read someone else's e-mail at an Internet cafe, because Yahoo! Mail had failed to log out the previous user.

If the information is particularly sensitive, you might want to force users to re-register every 15 or 30 minutes. Simply set the cookie expiration date and time to be something in the very near future, and the cookies will expire automatically.

Logging in is slightly more complicated, in that we must ask the user for a user name and password. These pieces of information, supplied from login-form.html (listing 7), are passed to the login.html component (listing 8). login.html performs two tasks: it submits a SELECT query to the database, requesting the user_id column for the submitted user name and password. If no such row exists, $sth->fetchrow_array returns undef, and we thus know that the user does not exist. If it does exist, then we retrieve all the relevant information about this user into a hash reference and set $session{user_id} to the newly rediscovered user ID. This restores the session information to the user's browser, which sets it in a cookie (or path_info, as appropriate).

Listing 7

Listing 8

While there is no room to discuss it here, it would obviously not be very difficult to create a “password-remind.html” component which allows users to retrieve their password using the hint they entered in the initial registration form.

Of course, personalized sites are rather uninteresting if they store only the user's name and e-mail address. Things get much more interesting if the site keeps track of users' interests, birthdays and stock portfolios. But once we have a unique ID that represents this user—the user_id column in Users—we can create as many tables as we like, identifying each user with their primary key.

Conclusion

Session management can be a tricky subject when working with the Web, since it means using a stateless connection for something it was never intended to do. With the help of Mason and Apache::Session, it is not difficult to develop a personalized site which keeps track of users' interests and customizes the site's output accordingly.

Resources

Reuven M. Lerner , an Internet and Web consultant, moved to Modi'in, Israel following his November marriage to Shira Friedman-Lerner. His book Core Perl will be published by Prentice-Hall in the spring. Reuven can be reached at reuven@lerner.co.il. The ATF home page, including archives, source code and discussion forums, is at http://www.lerner.co.il/atf/.

______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState