08-11-2004
I am fiddling around with variations of this now.... However, I have a set of columns in the users table that govern various permissions over the DB, (e.g. can create categories, can edit items, can delete items, etc, etc). So I can't really break it down into either admin or users, as I want to assign each user fine grained permissions - this is what makes setting the cookie (and then getting the page to render accordingly) quite difficult. As you say, if you login as somebody else the cookie gets clobbered and the "old" session assumes the values stored in the "new" sessions cookie.
It also becomes complicated when reading in cookie values. Say i'm logged in as both a user and an admin, and I try to remove an entry as the user, if the admin cookie exists as well, isn't it going to be a pain to decipher what's going on? (Because the script will be saying "if admin cookie exists - allow, else disallow), but both cookies will exist?
I think as a workaround for now, I will have to stick to limiting the thing to a single session per IP address. It's kludgy but will work. I think that it's just as easy to log out, and then log back in as a user with appropriate priveledges to do whatever needs doing. I've also set up a series of cookies that are set to various crypt()ed values to stop a user trying to forge a cookie with elevated priveledges and everything seems pretty secure at the moment.
Let me know if you come up with anything more (or if I've got the wrong end of the stick) - I'm still open to ideas and am still hacking around.
Thanks again,
Cheers
ZB
10 More Discussions You Might Find Interesting
1. Solaris
Any idea as to how multiple loggin sessions by the same user (using Hyper terminal/Telnet) be restricted in Sun Solaris 8.
Rgds
Naushi (10 Replies)
Discussion started by: Naushi
10 Replies
2. Shell Programming and Scripting
I have a program which gets an input file (which contain a list of objects) and processes the objects one by one sequentially. However when there are many objects it is faster to split the input into smaller lists and run the program in multiple terminal sessions simultaneously. I want to know if... (2 Replies)
Discussion started by: stevefox
2 Replies
3. UNIX for Advanced & Expert Users
Just a quick question,
Can I establish Multiple Sessions between two machines using FTAM?
Regards,
Gaurav Goel (0 Replies)
Discussion started by: gauravgoel
0 Replies
4. UNIX for Dummies Questions & Answers
;)Hi Everyone,
I am using solaris 5.10.
I have a java process running in server mode in unix.
The problem is that it automatically forks i.e creates a child process.
I mean suddenly two instances of that process start running , in which the process-id of first instance is the parent... (0 Replies)
Discussion started by: glamo_2312
0 Replies
5. UNIX for Advanced & Expert Users
Hi Everyone,
I am using solaris 5.10.
I have a java process running in server mode in unix.
The problem is that it automatically forks i.e creates a child process.
I mean suddenly two instances of that process start running , in which the process-id of first instance is the parent... (5 Replies)
Discussion started by: glamo_2312
5 Replies
6. Shell Programming and Scripting
I need to install a tomcat6 with multiple instances like instance1,instance2 and instance3 in a server.
I came to know that for that we need to install tomcat6,apache2.0,mod_jk1.2 and jre with tools.jar installed.And we need to create multiple instances with same web.xml and difference... (0 Replies)
Discussion started by: tuxslonik
0 Replies
7. AIX
Hi.
I installed xming to access to my servers but I have a problem : i can only have one session at a time ... i don't find any parameter to change this.
Tks (3 Replies)
Discussion started by: stephnane
3 Replies
8. Red Hat
Hi,
I use OpenSSH to log on to a RH server but when I enter the password 2 session windows appear.
I only need one so can anyone advise where I can rectify this?
R,
D. (2 Replies)
Discussion started by: Duffs22
2 Replies
9. Shell Programming and Scripting
I wish to be able to pass PHP values between multiple scripts. In each script, I have the following before any HTML code:
<?php
session_start();
session_name("STORE");
session_set_cookie_params( 'lifetime', '/var/www' );
session_id('Gingy');
... (1 Reply)
Discussion started by: Meow613
1 Replies
10. UNIX and Linux Applications
Hello.
I plan to use mysql with only instance database so I can stop one database for maintenance without stopping every thing.
When one reads through the my.cnf config file, it is not clear if we must use at the same time a single database mysql plus any instances mysqld2 (for app1), mysqld3... (1 Reply)
Discussion started by: jcdole
1 Replies
LEARN ABOUT DEBIAN
dancer::session::cookie
Dancer::Session::Cookie(3pm) User Contributed Perl Documentation Dancer::Session::Cookie(3pm)
NAME
Dancer::Session::Cookie - Encrypted cookie-based session backend for Dancer
SYNOPSIS
Your config.yml:
session: "cookie"
session_cookie_key: "this random key IS NOT very random"
DESCRIPTION
This module implements a session engine for sessions stored entirely in cookies. Usually only session id is stored in cookies and the
session data itself is saved in some external storage, e.g. database. This module allows one to avoid using external storage at all.
Since server cannot trust any data returned by client in cookies, this module uses cryptography to ensure integrity and also secrecy. The
data your application stores in sessions is completely protected from both tampering and analysis on the client-side.
CONFIGURATION
The setting session should be set to "cookie" in order to use this session engine in a Dancer application. See Dancer::Config.
A mandatory setting is needed as well: session_cookie_key, which should contain a random string of at least 16 characters (shorter keys are
not cryptographically strong using AES in CBC mode).
Here is an example configuration to use in your config.yml:
session: "cookie"
session_cookie_key: "kjsdf07234hjf0sdkflj12*&(@*jk"
Compromising session_cookie_key will disclose session data to clients and proxies or eavesdroppers and will also allow tampering, for
example session theft. So, your config.yml should be kept at least as secure as your database passwords or even more.
Also, changing session_cookie_key will have an effect of immediate invalidation of all sessions issued with the old value of key.
session_cookie_path can be used to control the path of the session cookie. The default is /.
The global session_secure setting is honoured and a secure (https only) cookie will be used if set.
DEPENDENCY
This module depends on Crypt::CBC, Crypt::Rijndael, String::CRC32, Storable and MIME::Base64.
AUTHOR
This module has been written by Alex Kapranoff.
SEE ALSO
See Dancer::Session for details about session usage in route handlers.
See Plack::Middleware::Session::Cookie, Catalyst::Plugin::CookiedSession, "session" in Mojolicious::Controller for alternative
implementation of this mechanism.
COPYRIGHT
This module is copyright (c) 2009-2010 Alex Kapranoff <kappa@cpan.org>.
LICENSE
This module is free software and is released under the same terms as Perl itself.
perl v5.14.2 2011-12-20 Dancer::Session::Cookie(3pm)