Re: [Pagekit-users] Session questions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Sean,

Whops, I forgot the list ;-)

Sean Lee schrieb:
> Dear Boris,
>
> >Yes, it is security. For a user that is logged in, the user info is used
> > to
> >
> >validate the cookie. This is to protect you against guessed cookies. Or
> >Login
> >as someone else.
>
> If so, instead of making new session data in say, database, wouldn't it
> make more sense to store this hash of username and password in session,
> which was created already (and would be able to control expiration of, in
> config file)?  

I think I did not really understand what expiration you mean, or even better 
what function you miss. Since you get your session back whenever you login 
again.

> And auth_session_key to check this value from session data?

Also here, what does it buy me? Where is the difference beside, that I 
duplicate the data from the pkit_user table into the session?

> I mean, instead of making new session and when logged out falling back to
> new session, 

I suppose you mean 'fallback to old session'. This can easy added as a config 
option if you need that.

But think on this, you fill a shopping chart as a anon user. Then you log in.
The sessions are merged. You drop some items. Then you log out. And login 
again. The dropped Items are back again.

> making one session at startup, if someone logs in, then in the 
> session we already created, store new hash and tick to say that this user
> is logged in, and when they logout, simply remove this hash from the
> session? Better even, as a new column in session table, so it's easier to
> check if user is online or not and make list of logged in users and to
> search information within logged in users (eg: using only SQL)?

Nothing prevents you from adding a column to pkit_user ( or any other table ).
Just add a

  $dbh->do(q{
    UPDATE
      pkit_user
    SET
      last_visite = ?
    WHERE
      user_id = ?
    }, {}, time(), $user_id
  );

near the end of 'pkit_auth_session_key'. And later search for all users, that 
where active in the last time on a page of your choice ;-).

sub list_active_users {
  my $model = shift;
  # search all visitors in the last 30 min's
  my $time = time() - 30 * 60;
  $model->output( active_users =>
    $model->dbh->selectall_arrayref(q{
      SELECT name,email FROM pkit_user WHERE last_visite >= ? },
      { Slice => {} }, $time 
    )
  );
}

>
> >Either you use apache2 with a broken libapreq2 or you did not use
> >pkit_remember just add it to your login as hidden parameter.
> >http://pagekit.org/guide/ch02s04.html
>
> Ohhh, I didn't know about pkit_remember :-) sorry.
>
> Thank you Boris,
> Sean
>
-- 
Boris