Session Management

Why Maintain State?
Hidden Fields
Extra Information in URLs
Cookies

Why Maintain State?

HTTP does not provide way of tracking clients across multiple page requests
- Each HTTP transaction consists of a request from the client followed by a response from the server
- Server does not maintain the connection to the client
- Nor does it store any request-related information from one transaction to the next
Although idea of tracking user actions may raise concerns, there are many legitimate reasons for it
- For example, an online store needs to keep track of the items in a shopping cart for each user

Sessions

Session
Series of interactions between client and server
Session information
Information collected about a user during a session
Need to keep track of data between multiple invocations of a CGI script, and identify data as belonging to a user

Session Identifier

Each session must be uniquely identified
If nothing else, this information must be passed back to the browser through one of the mechanisms below

We can compute a session identifier using various pieces of information about the client

sub unique_id {
	use Digest::MD5;
	
	my $md5 = new Digest::MD5;
	my $remote = $ENV{REMOTE_ADDR} . $ENV{REMOTE_PORT};
	my $id = $md5->md5_base64(
	    time,            # current time
	    $$,              # process id
	    $remote);        # host and port
	$id =~ tr|+/=|-_.|;  # make the result URL friendly
	return $id;
}

Techniques for Session Management

Hidden fields
Embed "invisible" information within forms
Extra Information in URLs
Embed user identifier in the document's URL
Cookies
Store information on client machine

Hidden Fields

Allows us to store "hidden" information within a form

We can store a session identifier like this

<form action="script.cgi" method="POST">
    <input type="hidden" name="id"
           value="107-5364765-8343766">
    .
    .
</form>

When user submits form, the browser passes the information in hidden fields back to the server
Using hidden fields, information can be passed between invocations of a series of forms

Hidden Fields - Example

Consider the Tennis Shoppe example in the book
We use hidden fields to store which form to display next

The sequence of forms in the Tennis Shoppe is

start     => menu
catalog   => catalog/POST | menu
cart      => menu
checkout  => thanks/POST | menu
thanks    =>

/GET      request sent via GET
/POST     request sent via POST

Each page of the store also displays a menu which gives a choice between three forms
```
menu      == catalog/GET | cart/GET | checkout/GET
```

Hidden Fields - Example

The form to display next is encoded in a hidden field

sub catalog {
    my ($q, $id) = @_;
    
    if ($q->request_method eq "POST") {
        save_state($q);
    }
    
    print header($q, "Video Catalog"),
        .
        .
        $q->hidden(
            -name     => "id",
            -default  => $id,
            -override => 1
        ),
        $q->hidden(
            -name     => "action",
            -default  => "catalog",
            -override => 1
        ),
        $q->end_form,
        footer($q, $id);
}

Note the use of the -override attribute: it is required, if the parameter already has a value in the query string

Hidden Fields - Example

When the action parameter is received, the script dispatches to the appropriate form generator

my $q = new CGI;
my $action = $q->param("action") || "start";
my $id = get_id($q);

if ($action eq "start") {
    start($q, $id);
} elsif ($action eq "catalog") {
    catalog($q, $id);
} elsif ($action eq "cart") {
    cart($q, $id);
} elsif ($action eq "checkout") {
    checkout($q, $id);
} elsif ($action eq "thanks") {
    thanks($q, $id);
}

Limitations

Hidden fields only work across a series of form submissions
It is easy to see the contents of a hidden field from by looking at the source

Extra Information in URLs

Embed session information in all hyperlinks in script output
There are a number of ways to do this:
- Embed session information in URL base
- Add session information to URL
- Specify a query string within your URL

Amazon.com adds a session identifier to each URL

http://www.amazon.com/exec/obidos/subst/home/home.html/
107-5364765-8343766

Extra Information in URLs

Here is an excerpt from one of Amazon.com's web pages

<p><b><font face=verdana,arial,helvetica size=-1>
<a href=/exec/obidos/tg/new-for-you/pym/home/-/0/ref=pd_gw_cp_pym/107-5364765-8343766>Quick Picks</a></font></b>
<br>
<a href=/exec/obidos/ASIN/059600012X/ref=pd_gw_cp_1/107-5364765-8343766>
<img src="http://images.amazon.com/images/P/059600012X.01.20TLZZZZ.gif" width=77 height=97 vspace=3 hspace=7 align=left border=0></a>
<a href=/exec/obidos/ASIN/059600012X/ref=pd_gw_cp_1/107-5364765-8343766>
<img src="http://g-images.amazon.com/images/G/01/icons/small-blue-books-icon.gif" width=18 height=18  border=0  alt=Icon >
</a>
<font face=verdana,arial,helvetica size=-1>
<a href=/exec/obidos/ASIN/059600012X/ref=pd_gw_cp_1/107-5364765-8343766>
Managing Imap
</a>
<br><font face=verdana,arial,helvetica size=-1>by Dianna Mullet, Kevin Mullet</font>
</font>
<p>
<A NAME="059600012x7500"></A>
Plain old Post Office Protocol (POP) is fine for just logging in and grabbing your 
e-mail from a dial-up service, but more elaborate mail-management and messaging 
solutions require a more capable protocol. The Internet Mail Access Protocol (IMAP) 
fits the bill by allowing you to pull off all sorts of mail-management tricks. 
With IMAP, a single user...  
<a href=/exec/obidos/ASIN/059600012X/ref=pd_gw_cp_1/107-5364765-8343766>
<font size=-1>Read more</font></a>

Run the example

Extra Information in URLs - Example

We encode URLs in our Tennis Shoppe example

sub footer {
    my (@q, $id) = @_;
    
    my $catalog_link = $q->a(
        { -href => "$url?action=catalog&id=$id" },
        "View Catalog"
    );
    my $cart_link = $q->a(
        { -href => "$url?action=cart&id=$id" },
        "Show Current Cart"
    );   
    my $checkout_link = $q->a(
        { -href => "$url?action=checkout&id=$id" },
        "Checkout"
    );
    return $q->hr,
        $q->p("[ $catalog_link | $cart_link | $checkout_link ]"),
        $q->end_html;
}

Limitations

Encoded URLs only work across a series of form submissions
It is difficult to reliably encode every URL in your documents

Cookies

Cookies allow a server to store information on a client
Enable persistent client-side state
- Not just interconnected pages
Web browsers are expected to
- store the information (until it expires)
- send the cookie to the server on subsequent requests

Using Cookies - Site Personalization

Cookies allow the application to store information about the user�s preferences
Suppose a user comes to the Yahoo site, but doesn't want to see any sports news
User creates a personalized version of Yahoo by filling out a form with his preferences
Subsequently, her preferences will be sent to the server until the cookie expires

Using Cookies - Web Site Tracking

Cookies can be used to associate a unique, persistent id with the user
Suppose you want to get more accurate counts of the number of site visitors
Cookies allow you to distinguish 50 unique visitors from one visitor hitting the reload button 50 times

Using Cookies - Targeted Marketing

Cookies can be used to build up a profile of what pages you visit (e.g., this is what DoubleClick does)
This profile can then be used to target advertisements at you (e.g. banner ads)
Companies also use cookies to record which advertisements have been displayed already

Setting Cookies

Create a cookie by adding a special field to the HTTP header

Set-Cookie: id=107-5364765-8343766; 
    domain=.amazon.com; 
    path=/exec/obidos;
    expires: Web, 28-Feb-2001, 12:00:00 GMT

Cookie Parameters

Name
Name given to the cookie
Value
Value assigned to the cookie
Domain
Cookie will only be returned to URLs within this domain
Expires
Date and time the cookie expires (default is now)
Path
Cookie will only be returned to URLs starting with this path
Secure
Cookie will only be returned if https is used

Setting a Cookie with CGI.pm

CGI.pm supports cookies through the cookie() method

my $cookie = $q->cookie(
    -name    => "id",
    -value   => "107-5364765-8343766",
    -domain  => ".amazon.com",
    -expires => "+1d");

Getting a Cookie

Cookies are sent to the server via the Cookie field
```
Cookie: id=107-5364765-8343766
```
Scripts can access the contents of cookies through the HTTP_COOKIE environment variable
Multiple cookies are separated by a semicolon
```
name1=value1;name2=value2;...;nameN=valueN
```

Getting a Cookie from a Script

CGI.pm returns the first value of a cookie given its name
```
 my $id = $q->cookie("id");
```

In order to get the values of cookies with multiple values, you need to extract them yourself

if ($ENV{HTTP_COOKIE}) {
   @cookies = split(/;/, $ENV{HTTP_COOKIE});
   foreach $cookie (@cookies) {
     ($name, $value) = split(/=/, $cookie);
     $crumbs{$name} = $value;
   } 
}

Using a Database

Store all session information in cookies has obvious disadvantages
- Information disappears if the user accidentally deletes the cookie from the browser
- Users can see what information we store about them
Instead you would only send a cookie with a session identifier
The actual session information should be stored in a database, using the user identifier is used as a key, or in a file

Returning, one last time, to our Tennis Shoppe example

sub save_state {
    my $q = shif;
    my $cart = cart_filename($id);
    
    # code left out to deal with denial
    # of service attacks (see book)
    
    open FILE, ">$cart" || 
        die "cannot write to $cart";
    $q->save(\*FILE);
    close FILE;
}

Readings

For the next session, read Chapter 8 (Security) in CGI Programming with Perl