NAME

Plasp::State::Session - Role for $Session objects

SYNOPSIS

  package MyApp::Session;

  with 'Plasp::State::Session';

DESCRIPTION

The $Session object keeps track of user and web client state, in a persistent manner, making it relatively easy to develop web applications. The $Session state is stored across HTTP connections, in database files in the Global or StateDir directories, and will persist across web server restarts.

The user session is referenced by a 128 bit / 32 byte MD5 hex hashed cookie, and can be considered secure from session id guessing, or session hijacking. When a hacker fails to guess a session, the system times out for a second, and with 2**128 (3.4e38) keys to guess, a hacker will not be guessing an id any time soon.

If an incoming cookie matches a timed out or non-existent session, a new session is created with the incoming id. If the id matches a currently active session, the session is tied to it and returned. This is also similar to the Microsoft ASP implementation.

The $Session reference is a hash ref, and can be used as such to store data as in:

    $Session->{count}++;     # increment count by one
    %{$Session} = ();   # clear $Session data

The $Session object state is implemented through MLDBM, and a user should be aware of the limitations of MLDBM. Basically, you can read complex structures, but not write them, directly:

  $data = $Session->{complex}{data};     # Read ok.
  $Session->{complex}{data} = $data;     # Write NOT ok.
  $Session->{complex} = {data => $data}; # Write ok, all at once.

Please see MLDBM for more information on this topic. $Session can also be used for the following methods and properties:

ATTRIBUTES

$Session->{CodePage}

Not implemented. May never be until someone needs it.

$Session->{LCID}

Not implemented. May never be until someone needs it.

$Session->{SessionID}

SessionID property, returns the id for the current session, which is exchanged between the client and the server as a cookie.

$Session->{Timeout} [= $minutes]

Timeout property, if minutes is being assigned, sets this default timeout for the user session, else returns the current session timeout.

If a user session is inactive for the full timeout, the session is destroyed by the system. No one can access the session after it times out, and the system garbage collects it eventually.

METHODS

$Session->Abandon()

The abandon method times out the session immediately. All Session data is cleared in the process, just as when any session times out.

$Session->Lock()

Not implemented. This is a no-op. This was meant to be for performance improvement, but it's not necessary.

$Session->UnLock()

Not implemented. This is a no-op. This was meant to be for performance improvement, but it's not necessary.

SEE ALSO