tags:

views:

37

answers:

1
Q: 

Session management via pure CGI

I'm currently in the process of writing a little blog / generic posting system using CGI in C as a hobby project and am now in the need of a session management system to authentificate authorized users for posting, editing and similar operations over multiple CGI programs

From working with PHP years ago I remember using the superglobal variable $_SESSION and some session intializing functions. Obviously this is not going to work this way when dealing with pure CGI, so I'm in a tricky situation here.

A bit of thinking showed that there's many different ways to do such a thing...

  1. Saving the IP address and attributes inside a file where I can see if a particular IP is authorized
  2. Same as #1 but using an SQLite database (my engine already runs on SQLite so there would be no additional overhead)
  3. Something with cookies maybe?

Instead of going all in and regret is later... what do you good people think? What's the most efficient (and most importantly) and the maintainable method?

Please note that I do not want to get a third party libary to do all the complicated things for me! I started this project to build something completely by myself (if you ignore SQLite here) and I don't want to hide the hard parts, even if it makes everything so much simpler. I could have just used Python if I didn't want to torture myself :)

+3  A: 

Cookie based session management is the way to go. You cannot merely use an IP address not even IP address + browser combination because that will fail when people are using proxy or are behind NAT.

Just send the browser a hash in a cookie, then validate the hash against your record for the user, if it matches, you can then access the data for that user's session.

Consider adding an expiry mechanism for the hash. There is a trade off between security and ease of use, because the longer the same hash is valid for the user, the longer the user is vulnerable to a cookie stealing attack.

Expiry mechanisms will also enable you to delete stale session data from your database (or file, if you would so choose.)

Vinko Vrsalovic  2010-07-13 14:50:48
Thanks, I only need to decide where to save my sessions now.. probably inside my sqlite db, just for consistency.
LukeN  2010-07-13 18:20:45

related questions

any good tool for makefile generation?
How do you pass a function as a parameter in C?
Where should a veteran C programmer start in order to master Java ?
Any good book on best practice and guidelines in developing a SDK in C?
How do you determine the size of a file in C?
Decoding printf statements in C (Printf Primer)
Shift operator in C
How to avoid redefining VERSION, PACKAGE, etc.
Alpha blending sprites in Nintendo DS Homebrew
When should I use type abstraction in embedded systems
How to implement continuations?
What are the barriers to understanding pointers and what can be done to overcome them?
Anyone have experience creating a shared library in MATLAB?
String.indexOf function in C
Passing multidimensional arrays as function arguments in C
C/C++ library for reading MIDI signals from a USB MIDI device
Choosing a static code analysis tool
How do you printf an unsigned long long int?
Good STL-like library for C.
Rockbox audio format
Why am I getting a malloc: double free error with realloc()?
Should I learn C?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS