CGI::SecureState is a transparent, secure statefulness for CGI programs.
my @memory = qw(param1 param2 other_params_to_remember);
my $cgi = new CGI::SecureState(-stateDir => "states",
-mindSet => 'forgetful',
-memory => @memory);
print $cgi->header(), $cgi->start_html;
my $url = $cgi->state_url();
my $param = $cgi->state_param();
print "I am a stateful CGI session.";
print "I am a different ",
"script that also has access to this session.";
Very Important Note for Users of CGI::SecureState 0.2x
For those still using the 0.2x series, CGI::SecureState changed enormously between 0.26 and 0.30. Specifically, the addition of mindsets is so important that if you run your old scripts unchanged under CGI::SecureState 0.3x, you will receive nasty warnings (likely both in output web pages and your log files) that will tell you not to do so. Please do yourself a favor by re-reading this documentation, as this mysterious mindset business (as well as all the scrumptious new features) will be made clear.
Of course, any and all comments on the changes are welcome. If you are interested, send mail to firstname.lastname@example.org with the subject "CGI::SecureState Comment".
A Better Solution to the stateless problem.
HTTP is by nature a stateless protocol; as soon as the requested object is delivered, HTTP severs the object's connection to the client. HTTP retains no memory of the request details and does not relate subsequent requests with what it has already served.
There are a few methods available to deal with this problem, including forms and cookies, but most have problems themselves, including security issues (cookie stealing), browser support (cookie blocking), and painful implementations (forms).
CGI::SecureState solves this problem by storing session data in an encrypted state file on the server. CGI::SecureState is similar in purpose to CGI::Persistent (and retains much of the same user interface) but has a completely different implementation. For those of you who have worked with CGI::Persistent before, you will be pleased to learn that CGI::SecureState was designed to work with Perl's taint mode and has worked flawlessly with mod_perl and Apache::Registry for over two years. CGI::SecureState was also designed from the ground up for security, a fact which may rear its ugly head if anybody tries to do something tricksy.
· Crypt::Blowfish is the only cipher that CGI::SecureState is using at the moment. Change at your own risk.
· CGI.pm has a tendency to set default values for form input fields that CGI::SecureState does NOT override. If this becomes problematic, use the -override setting when calling things like hidden().
· Changes have been made so that saving/recovering Unicode now appears to work (with Perl 5.8.0). This is still not guaranteed to work; if you have reports of problems or solutions, please let me know.
· As far as threading is concerned, CGI::SecureState (the actual module) is thread-safe as long as you provide it with an absolute path to the state file directory or if you do not change working directories in mid-stream. This does not mean that it is necessarily safe to use CGI::SecureState in an application with threads, as thread-safety may be compromised by either Crypt::Blowfish or Digest::SHA1. Check these modules to make sure that they are thread-safe before proceeding to use CGI::SecureState in an application with threads.
· Until I can do more tests, assume that there is precisely zero support for either threading or unicode. If you would like to report your own results, send me a note and I will see what I can do about them.
· Many previous limitations of CGI::SecureState have been removed in the 0.3x series.
· Long file names (at least 27 chars): needed to ensure session authenticity.
· Crypt::Blowfish: it couldn't be called "Secure" without. At some point in the future, this requirement will be changed. Tested with versions 2.06, 2.09.
· Digest::SHA1: for super-strong (160 bit) hashing of data. It is used in key generation and filename generation. Tested with versions 1.03, 2.01.
· CGI.pm: it couldn't be called "CGI" without. Should not be a problem as it comes standard with Perl 5.004 and above. Tested with versions 2.56, 2.74, 2.79, 2.89.
· Fcntl: for file flags that are portable (like LOCK_SH and LOCK_EX). Comes with Perl. Tested with version 1.03.
· File::Spec: for concatenating directories and filenames in a portable way. Comes with Perl. Tested with version 0.82.
· Perl: Hmmm. Tested with stable releases from v5.005_03 to v5.8.0. There may be several bugs induced by lower versions of Perl, which are not limited to the failure to compile, the failure to behave properly, or the mysterious absence of your favorite pair of lemming slippers. The author is exempt from wrongdoing and liability, especially if you decide to use CGI::SecureState with a version of Perl less than 5.005_03.