[Cgi-session-user] Changing/Regenerating session ids

[Tom P. <pa...@ph...>]

What is the best way to change/regenerate a session id for an existing
session?  I have an application which will be storing the user's
authentication status in a session, along with other information.  I can
expire the more sensitive authentication data more rapidly than the less
sensitive data, so that the user will be forced to log in again to
continue the session, but without changing the session id the security
gain is only partial.  E.g., if a bad guy managed to steal the session
id, the session id would still allow him to impersonate the real user
if the real user logs in again to renew the session.

I would like it so that when user logs in again, he effectively gets a
clone of the original session, with everything the same except for the
session id.  As I would like to extract this into a library wrapping
around CGI::Session, I would prefer to be able to do this without
knowing anything about what might be put into the session.  

I could probably just delete the original session, create a new session
and copy all the visible parameters from original to new session, but
this would lose any expiry information, and I am not sure how to create
the new session with all the same options as the original (Some
experimentation with CGI::Session 4.14 shows that I can give a
CGI::Session instance to new constructor method, but that seems to
duplicate the object including the session id.) 

I believe I have succeeded in getting what I am after with the code
$sess->dataref->{_SESSION_ID} =
                $sess->_id_generator->generate_id(
			$sess->{_DRIVER_ARGS},'');

where $sess is a CGI::Session instance, but I would prefer a solution
that did not stray as far from the public API.  Does anyone have a
better solution?

-- 
Tom Payerle
Dept of Physics                         pa...@ph...
University of Maryland                  (301) 405-6973
College Park, MD 20742-4111             Fax: (301) 314-9525