Re: [Cgi-session-user] ip_match + find problem
Brought to you by:
sherzodr
Menu
▾
▴
Re: [Cgi-session-user] ip_match + find problem
|
From: Mark S. <ma...@su...> - 2006-04-25 19:44:12
|
On Tue, Apr 25, 2006 at 12:24:09PM -0700, Ryley Breiddal wrote: > Hi, > > I have some code that checks all sessions for certain variables on a > regular basis. The code uses CGI::Session::find to get each session and > check some of the data (perfectly normal, I'm sure). The issue that > comes up is that I also use ip_match for security. Since > CGI::Session::find calls CGI::Session::load, which then checks that the > IP in the session matches the callers remote IP, and it ends up deleting > every session that isn't from the same IP as the caller. > > One solution I see is to just disable CGI::Session::IP_MATCH before I > call find, and then enable it afterwards... But it seems somewhat > inelegant. > > Something that would require more work might be to have find and load > share some code that does the thawing of the session data, or possibly > change load to work differently if it's called from find, but I don't > really know enough about this module yet to say for sure. First, are you sure you want to use ip_match, considering it doesn't work through proxies, such as AOL uses? One way I could see to address it would be to add a "skip_ip_match" option to load(), just for this case, and call it that way from find(). > Since I'm using the DBI Driver, I also see an opportunity here to pull > down all the session data at once from the database, rather than doing > one call per session. CGI::Session::ExpireSessions might be of interest here. Mark |
