minimal session management for single login?_问答_开发者

minimal session management for single login?

开发者 https://www.devze.com 2023-02-14 20:23 出处：网络

I\'ve written a C/CGI web application for booking items. My client has requested that I add an \'admin\' feature where an authorised user can delete and change data, and those who aren\'t, can only ad

相关专题：c cgi session

I've written a C/CGI web application for booking items. My client has requested that I add an 'admin' feature where an authorised user can delete and change data, and those who aren't, can only add data. It is much simpler in concept than most login implementations as there is only a password, and effectively only two states, 'anonymous' and 'admin'.

I come from a PHP background where session management is as simple as session_start(), and I can instantly play around with $_SESSION. Of course, in C/CGI there is nothing built-in like that. I would like to avoid adding a CGI library dependency (I already depend on glib, confuse and libmys开发者_运维技巧qlclient, plus I'm curious to learn about session management).

What is the simplest way to do a password-based session management in C/CGI, without the need for multiple users, large amounts of session data, or anything complex?

A session implies server side maintained state. As you don't have users I guess you want it simpler. If that is the case a signed cookie with an expiration date can do it. This tutorial will show how to do it with Python:

http://webpython.codepoint.net/cgi_cookie

First you have to decide how you are going to persist state in the browser : are you going to use a session cookie or pass a session token on each page ? If you go with the cookie way, you don't have to change your pages and forms, but you need to add cookie management if it's not already present (be careful to use session + httpOnly cookies)

Then you must decide how to get data about the state on the server : if you're already using a database, you could add a "SESSION" table with columns "SESSION_ID" and "EXPIRATION_DATE" + a second table called "SESSION_DATA" with columns "SESSION_ID", "KEY", "VALUE".

You now "just" have to create some simple functions :

int session_createNewSession(long& session_id, long duration)
int session_setValue(long session, char[] key, char[] value)
int session_getValue(long session, char[] key, char[] value)
int session_abandonSession(long session)

This functions would return error codes if session could not be created, or value could not be set/get. You should also probably create a job that runs regularly on the database to delete older sessions.

Now that you have your session system in place, the rest is pretty straightforward :

create a login form
in your cgi handle the received data by checking if the login/password is right (don't store the passwords in the db though : store a salted hash)
if connexion is OK, save the user id in session (or in your case, you could just save a "IsAdmin" value)

You could do in fact simpler : just a session_createNewSession(long& session_id, int isAdmin) would be sufficient in your case (with only one database table), but your client is probably going to ask more features over time isn't he ?

One final note : be careful that your session_id's are random, not indent fields, otherwise it would be quite simple to hijack someone else's session.