1CGI::Session(3) User Contributed Perl Documentation CGI::Session(3)
2
6 CGI::Session - persistent session data in CGI applications
7
9 # Object initialization:
10 use CGI::Session;
11 $session = new CGI::Session();
12 $CGISESSID = $session->id();
14 # Send proper HTTP header with cookies:
16 print $session->header();
17 # Storing data in the session:
19 $session->param('f_name', 'Sherzod');
20 # or
21 $session->param(-name=>'l_name', -value=>'Ruzmetov');
22 # Flush the data from memory to the storage driver at least before your
24 # program finishes since auto-flushing can be unreliable.
25 # Warning: A bug in your logic whereby the DBI handle has gone
26 # out of scope before flush() is called means flush() won't work
27 # (when the session is a database session), so don't do that.
28 $session->flush();
29 # Retrieving data:
31 my $f_name = $session->param('f_name');
32 # or
33 my $l_name = $session->param(-name=>'l_name');
34 # Clearing a certain session parameter:
36 $session->clear(["l_name", "f_name"]);
37 # Expire '_is_logged_in' flag after 10 idle minutes:
39 $session->expire('is_logged_in', '+10m')
40 # Expire the session itself after 1 idle hour:
42 $session->expire('+1h');
43 # Delete the session for good:
45 $session->delete();
46 $session->flush(); # Recommended practice says use flush() after delete().
47
49 CGI-Session is a Perl5 library that provides an easy, reliable and
50 modular session management system across HTTP requests. Persistency is
51 a key feature for such applications as shopping carts,
52 login/authentication routines, and application that need to carry data
53 across HTTP requests. CGI::Session does that and many more.
54
56 As mentioned above in the Synopsis, auto-flushing can be unreliable.
57 Consequently, you should regard it as mandatory that sessions always
59 need to be explicitly flushed before the program exits.
60 For instance, in a "CGI::Application"-based program, "sub teardown()"
62 would be the appropriate place to do this.
63 This is all part of what might be called "Object life-cycle 'v' Program
65 life-cycle".
66 In the simplest case the program has one object of type CGI::Session,
68 and that object is destroyed when the program exits.
69 If, however, you wish to delete objects explicitly, then each call to
71 "delete()" should be followed by a call to "flush()".
72 Warning: A bug in your logic whereby the DBI handle has gone out out of
74 scope before flush() is called means flush() won't work (when the
75 session is a database session), so don't do that.
76 For more detail, see the discussion of the "delete()" method, below.
78
80 Trying to use UTF8 in a program which uses CGI::Session has lead to
81 problems. See RT#21981 and RT#28516.
82 In the first case the user tried "use encoding 'utf8';" in the program,
84 and in the second case the user tried "$dbh->do(qq|set names
85 'utf8'|);".
86 Until this problem is understood and corrected, users are advised to
88 avoid UTF8 in conjunction with CGI::Session.
89 For details, see: http://rt.cpan.org/Public/Bug/Display.html?id=28516
91 (and ...id=21981).
92
94 This document is also available in Japanese.
95 o Translation based on 4.14:
97 http://digit.que.ne.jp/work/index.cgi?Perldoc/ja
98 o Translation based on 3.11, including Cookbook and Tutorial:
100 http://perldoc.jp/docs/modules/CGI-Session-3.11/
101
103 Current manual is optimized to be used as a quick reference. To learn
104 more both about the philosophy and CGI::Session programming style,
105 consider the following:
106 · CGI::Session::Tutorial - extended CGI::Session manual. Also
108 includes library architecture and driver specifications.
109 · We also provide mailing lists for CGI::Session users. To subscribe
111 to the list or browse the archives visit
112 https://lists.sourceforge.net/lists/listinfo/cgi-session-user
113 · RFC 2965 - "HTTP State Management Mechanism" found at
115 ftp://ftp.isi.edu/in-notes/rfc2965.txt
116 · CGI - standard CGI library
118 · Apache::Session - another fine alternative to CGI::Session.
120
122 Following is the overview of all the available methods accessible via
123 CGI::Session object.
124 new()
126 new( $sid )
127 new( $query )
128 new( $dsn, $query||$sid )
129 new( $dsn, $query||$sid, \%dsn_args )
130 new( $dsn, $query||$sid, \%dsn_args, \%session_params )
131 Constructor. Returns new session object, or undef on failure. Error
132 message is accessible through errstr() - class method. If called on an
133 already initialized session will re-initialize the session based on
134 already configured object. This is only useful after a call to load().
135 Can accept up to three arguments, $dsn - Data Source Name, $query||$sid
137 - query object OR a string representing session id, and finally,
138 \%dsn_args, arguments used by $dsn components.
139 If called without any arguments, $dsn defaults to
141 driver:file;serializer:default;id:md5, $query||$sid defaults to
142 "CGI->new()", and "\%dsn_args" defaults to undef.
143 If called with a single argument, it will be treated either as $query
145 object, or $sid, depending on its type. If argument is a string ,
146 "new()" will treat it as session id and will attempt to retrieve the
147 session from data store. If it fails, will create a new session id,
148 which will be accessible through id() method. If argument is an object,
149 cookie() and param() methods will be called on that object to recover a
150 potential $sid and retrieve it from data store. If it fails, "new()"
151 will create a new session id, which will be accessible through id()
152 method. "name()" will define the name of the query parameter and/or
153 cookie name to be requested, defaults to CGISESSID.
154 If called with two arguments first will be treated as $dsn, and second
156 will be treated as $query or $sid or undef, depending on its type. Some
157 examples of this syntax are:
158 $s = CGI::Session->new("driver:mysql", undef);
160 $s = CGI::Session->new("driver:sqlite", $sid);
161 $s = CGI::Session->new("driver:db_file", $query);
162 $s = CGI::Session->new("serializer:storable;id:incr", $sid);
163 # etc...
164 Briefly, "new()" will return an initialized session object with a valid
166 id, whereas "load()" may return an empty session object with an
167 undefined id.
168 Tests are provided (t/new_with_undef.t and t/load_with_undef.t) to
170 clarify the result of calling "new()" and "load()" with undef, or with
171 an initialized CGI object with an undefined or fake CGISESSID.
172 You are strongly advised to run the old-fashioned 'make test
174 TEST_FILES=t/new_with_undef.t TEST_VERBOSE=1' or the new-fangled 'prove
175 -v t/new_with_undef.t', for both new*.t and load*.t, and examine the
176 output.
177 Following data source components are supported:
179 · driver - CGI::Session driver. Available drivers are file, db_file,
181 mysql and sqlite. Third party drivers are welcome. For driver specs
182 consider CGI::Session::Driver
183 · serializer - serializer to be used to encode the data structure
185 before saving in the disk. Available serializers are storable,
186 freezethaw and default. Default serializer will use Data::Dumper.
187 · id - ID generator to use when new session is to be created.
189 Available ID generator is md5
190 For example, to get CGI::Session store its data using DB_File and
192 serialize data using FreezeThaw:
193 $s = new CGI::Session("driver:DB_File;serializer:FreezeThaw", undef);
195 If called with three arguments, first two will be treated as in the
197 previous example, and third argument will be "\%dsn_args", which will
198 be passed to $dsn components (namely, driver, serializer and id
199 generators) for initialization purposes. Since all the $dsn components
200 must initialize to some default value, this third argument should not
201 be required for most drivers to operate properly.
202 If called with four arguments, the first three match previous examples.
204 The fourth argument must be a hash reference with parameters to be used
205 by the CGI::Session object. (see \%session_params above )
206 The following is a list of the current keys:
208 · name - Name to use for the cookie/query parameter name. This
210 defaults to CGISESSID. This can be altered or accessed by the
211 "name" accessor.
212 undef is acceptable as a valid placeholder to any of the above
214 arguments, which will force default behavior.
215 load()
217 load( $query||$sid )
218 load( $dsn, $query||$sid )
219 load( $dsn, $query, \%dsn_args )
220 load( $dsn, $query, \%dsn_args, \%session_params )
221 Accepts the same arguments as new(), and also returns a new session
222 object, or undef on failure. The difference is, new() can create a new
223 session if it detects expired and non-existing sessions, but "load()"
224 does not.
225 "load()" is useful to detect expired or non-existing sessions without
227 forcing the library to create new sessions. So now you can do something
228 like this:
229 $s = CGI::Session->load() or die CGI::Session->errstr();
231 if ( $s->is_expired ) {
232 print $s->header(),
233 $cgi->start_html(),
234 $cgi->p("Your session timed out! Refresh the screen to start new session!")
235 $cgi->end_html();
236 exit(0);
237 }
238 if ( $s->is_empty ) {
240 $s = $s->new() or die $s->errstr;
241 }
242 Notice: All expired sessions are empty, but not all empty sessions are
244 expired!
245 Briefly, "new()" will return an initialized session object with a valid
247 id, whereas "load()" may return an empty session object with an
248 undefined id.
249 Tests are provided (t/new_with_undef.t and t/load_with_undef.t) to
251 clarify the result of calling "new()" and "load()" with undef, or with
252 an initialized CGI object with an undefined or fake CGISESSID.
253 You are strongly advised to run the old-fashioned 'make test
255 TEST_FILES=t/new_with_undef.t TEST_VERBOSE=1' or the new-fangled 'prove
256 -v t/new_with_undef.t', for both new*.t and load*.t, and examine the
257 output.
258 id()
260 Returns effective ID for a session. Since effective ID and claimed ID
261 can differ, valid session id should always be retrieved using this
262 method.
263 param($name)
265 param(-name=>$name)
266 Used in either of the above syntax returns a session parameter set to
267 $name or undef if it doesn't exist. If it's called on a deleted method
268 param() will issue a warning but return value is not defined.
269 param($name, $value)
271 param(-name=>$name, -value=>$value)
272 Used in either of the above syntax assigns a new value to $name
273 parameter, which can later be retrieved with previously introduced
274 param() syntax. $value may be a scalar, arrayref or hashref.
275 Attempts to set parameter names that start with _SESSION_ will trigger
277 a warning and undef will be returned.
278 param_hashref()
280 Deprecated. Use dataref() instead.
281 dataref()
283 Returns reference to session's data table:
284 $params = $s->dataref();
286 $sid = $params->{_SESSION_ID};
287 $name= $params->{name};
288 # etc...
289 Useful for having all session data in a hashref, but too risky to
291 update.
292 save_param()
294 save_param($query)
295 save_param($query, \@list)
296 Saves query parameters to session object. In other words, it's the same
297 as calling param($name, $value) for every single query parameter
298 returned by "$query->param()". The first argument, if present, should
299 be either CGI object or any object which can provide param() method. If
300 it's undef, defaults to the return value of query(), which returns
301 "CGI->new". If second argument is present and is a reference to an
302 array, only those query parameters found in the array will be stored in
303 the session. undef is a valid placeholder for any argument to force
304 default behavior.
305 load_param()
307 load_param($query)
308 load_param($query, \@list)
309 Loads session parameters into a query object. The first argument, if
310 present, should be query object, or any other object which can provide
311 param() method. If second argument is present and is a reference to an
312 array, only parameters found in that array will be loaded to the query
313 object.
314 clear()
316 clear('field')
317 clear(\@list)
318 Clears parameters from the session object.
319 With no parameters, all fields are cleared. If passed a single
321 parameter or a reference to an array, only the named parameters are
322 cleared.
323 flush()
325 Synchronizes data in memory with the copy serialized by the driver.
326 Call flush() if you need to access the session from outside the current
327 session object. You should at least call flush() before your program
328 exits.
329 As a last resort, CGI::Session will automatically call flush for you
331 just before the program terminates or session object goes out of scope.
332 This automatic behavior was the recommended behavior until the 4.x
333 series. Automatic flushing has since proven to be unreliable, and in
334 some cases is now required in places that worked with 3.x. For further
335 details see:
336 http://rt.cpan.org/Ticket/Display.html?id=17541
338 http://rt.cpan.org/Ticket/Display.html?id=17299
339 Consequently, always explicitly calling "flush()" on the session before
341 the program exits should be regarded as mandatory until this problem is
342 rectified.
343 Warning: A bug in your logic whereby the DBI handle has gone out out of
345 scope before flush() is called means flush() won't work (when the
346 session is a database session), so don't do that.
347 atime()
349 Read-only method. Returns the last access time of the session in
350 seconds from epoch. This time is used internally while auto-expiring
351 sessions and/or session parameters.
352 ctime()
354 Read-only method. Returns the time when the session was first created
355 in seconds from epoch.
356 expire()
358 expire($time)
359 expire($param, $time)
360 Sets expiration interval relative to atime().
361 If used with no arguments, returns the expiration interval if it was
363 ever set. If no expiration was ever set, returns undef. For backwards
364 compatibility, a method named "etime()" does the same thing.
365 Second form sets an expiration time. This value is checked when
367 previously stored session is asked to be retrieved, and if its
368 expiration interval has passed, it will be expunged from the disk
369 immediately. Passing 0 cancels expiration.
370 By using the third syntax you can set the expiration interval for a
372 particular session parameter, say ~logged-in. This would cause the
373 library call clear() on the parameter when its time is up. Note it only
374 makes sense to set this value to something earlier than when the whole
375 session expires. Passing 0 cancels expiration.
376 All the time values should be given in the form of seconds. Following
378 keywords are also supported for your convenience:
379 +-----------+---------------+
381 | alias | meaning |
382 +-----------+---------------+
383 | s | Second |
384 | m | Minute |
385 | h | Hour |
386 | d | Day |
387 | w | Week |
388 | M | Month |
389 | y | Year |
390 +-----------+---------------+
391 Examples:
393 $session->expire("2h"); # expires in two hours
395 $session->expire(0); # cancel expiration
396 $session->expire("~logged-in", "10m"); # expires '~logged-in' parameter after 10 idle minutes
397 Note: all the expiration times are relative to session's last access
399 time, not to its creation time. To expire a session immediately, call
400 delete(). To expire a specific session parameter immediately, call
401 clear([$name]).
402 is_new()
404 Returns true only for a brand new session.
405 is_expired()
407 Tests whether session initialized using load() is to be expired. This
408 method works only on sessions initialized with load():
409 $s = CGI::Session->load() or die CGI::Session->errstr;
411 if ( $s->is_expired ) {
412 die "Your session expired. Please refresh";
413 }
414 if ( $s->is_empty ) {
415 $s = $s->new() or die $s->errstr;
416 }
417 is_empty()
419 Returns true for sessions that are empty. It's preferred way of testing
420 whether requested session was loaded successfully or not:
421 $s = CGI::Session->load($sid);
423 if ( $s->is_empty ) {
424 $s = $s->new();
425 }
426 Actually, the above code is nothing but waste. The same effect could've
428 been achieved by saying:
429 $s = CGI::Session->new( $sid );
431 is_empty() is useful only if you wanted to catch requests for expired
433 sessions, and create new session afterwards. See is_expired() for an
434 example.
435 delete()
437 Deletes a session from the data store and empties session data from
438 memory, completely, so subsequent read/write requests on the same
439 object will fail. Technically speaking, though, it will only set the
440 object's status to STATUS_DELETED.
441 The intention is that in due course (of the program's execution) this
443 will trigger flush(), and flush() will do the actual removal.
444 However: Auto-flushing can be unreliable, and always explicitly calling
446 "flush()" on the session after "delete()" should be regarded as
447 mandatory until this problem is rectified.
448 Warning: A bug in your logic whereby the DBI handle has gone out out of
450 scope before flush() is called means flush() won't work (when the
451 session is a database session), so don't do that.
452 find( \&code )
454 find( $dsn, \&code )
455 find( $dsn, \&code, \%dsn_args )
456 Experimental feature. Executes \&code for every session object stored
457 in disk, passing initialized CGI::Session object as the first argument
458 of \&code. Useful for housekeeping purposes, such as for removing
459 expired sessions. Following line, for instance, will remove sessions
460 already expired, but are still in disk:
461 The following line, for instance, will remove sessions already expired,
463 but which are still on disk:
464 CGI::Session->find( sub {} );
466 Notice, above \&code didn't have to do anything, because load(), which
468 is called to initialize sessions inside find(), will automatically
469 remove expired sessions. Following example will remove all the objects
470 that are 10+ days old:
471 CGI::Session->find( \&purge );
473 sub purge {
474 my ($session) = @_;
475 next if $session->is_empty; # <-- already expired?!
476 if ( ($session->ctime + 3600*240) <= time() ) {
477 $session->delete() or warn "couldn't remove " . $session->id . ": " . $session->errstr;
478 }
479 }
480 Note: find will not change the modification or access times on the
482 sessions it returns.
483 Explanation of the 3 parameters to "find()":
485 $dsn
487 This is the DSN (Data Source Name) used by CGI::Session to control
488 what type of sessions you previously created and what type of
489 sessions you now wish method "find()" to pass to your callback.
490 The default value is defined above, in the docs for method "new()",
492 and is 'driver:file;serializer:default;id:md5'.
493 Do not confuse this DSN with the DSN arguments mentioned just
495 below, under \%dsn_args.
496 \&code
498 This is the callback provided by you (i.e. the caller of method
499 "find()") which is called by CGI::Session once for each session
500 found by method "find()" which matches the given $dsn.
501 There is no default value for this coderef.
503 When your callback is actually called, the only parameter is a
505 session. If you want to call a subroutine you already have with
506 more parameters, you can achieve this by creating an anonymous
507 subroutine that calls your subroutine with the parameters you want.
508 For example:
509 CGI::Session->find($dsn, sub { my_subroutine( @_, 'param 1', 'param 2' ) } );
511 CGI::Session->find($dsn, sub { $coderef->( @_, $extra_arg ) } );
512 Or if you wish, you can define a sub generator as such:
514 sub coderef_with_args {
516 my ( $coderef, @params ) = @_;
517 return sub { $coderef->( @_, @params ) };
518 }
519 CGI::Session->find($dsn, coderef_with_args( $coderef, 'param 1', 'param 2' ) );
521 \%dsn_args
523 If your $dsn uses file-based storage, then this hashref might
524 contain keys such as:
525 {
527 Directory => Value 1,
528 NoFlock => Value 2,
529 UMask => Value 3
530 }
531 If your $dsn uses db-based storage, then this hashref contains (up
533 to) 3 keys, and looks like:
534 {
536 DataSource => Value 1,
537 User => Value 2,
538 Password => Value 3
539 }
540 These 3 form the DSN, username and password used by DBI to control
542 access to your database server, and hence are only relevant when
543 using db-based sessions.
544 The default value of this hashref is undef.
546 Note: find() is meant to be convenient, not necessarily efficient. It's
548 best suited in cron scripts.
549
551 remote_addr()
552 Returns the remote address of the user who created the session for the
553 first time. Returns undef if variable REMOTE_ADDR wasn't present in the
554 environment when the session was created.
555 errstr()
557 Class method. Returns last error message from the library.
558 dump()
560 Returns a dump of the session object. Useful for debugging purposes
561 only.
562 header()
564 Replacement for CGI.pm's header() method. Without this method, you
565 usually need to create a CGI::Cookie object and send it as part of the
566 HTTP header:
567 $cookie = CGI::Cookie->new(-name=>$session->name, -value=>$session->id);
569 print $cgi->header(-cookie=>$cookie);
570 You can minimize the above into:
572 print $session->header();
574 It will retrieve the name of the session cookie from "$session-"name()>
576 which defaults to $CGI::Session::NAME. If you want to use a different
577 name for your session cookie, do something like following before
578 creating session object:
579 CGI::Session->name("MY_SID");
581 $session = new CGI::Session(undef, $cgi, \%attrs);
582 Now, $session->header() uses "MY_SID" as a name for the session cookie.
584 query()
586 Returns query object associated with current session object. Default
587 query object class is CGI.pm.
588 DEPRECATED METHODS
590 These methods exist solely for for compatibility with CGI::Session 3.x.
591 close()
593 Closes the session. Using flush() is recommended instead, since that's
595 exactly what a call to close() does now.
596
598 CGI::Session consists of several components such as drivers,
599 serializers and id generators. This section lists what is available.
600 DRIVERS
602 Following drivers are included in the standard distribution:
603 · file - default driver for storing session data in plain files. Full
605 name: CGI::Session::Driver::file
606 · db_file - for storing session data in BerkelyDB. Requires: DB_File.
608 Full name: CGI::Session::Driver::db_file
609 · mysql - for storing session data in MySQL tables. Requires DBI and
611 DBD::mysql. Full name: CGI::Session::Driver::mysql
612 · sqlite - for storing session data in SQLite. Requires DBI and
614 DBD::SQLite. Full name: CGI::Session::Driver::sqlite
615 SERIALIZERS
617 · default - default data serializer. Uses standard Data::Dumper.
618 Full name: CGI::Session::Serialize::default.
619 · storable - serializes data using Storable. Requires Storable. Full
621 name: CGI::Session::Serialize::storable.
622 · freezethaw - serializes data using FreezeThaw. Requires FreezeThaw.
624 Full name: CGI::Session::Serialize::freezethaw
625 · yaml - serializes data using YAML. Requires YAML or YAML::Syck.
627 Full name: CGI::Session::Serialize::yaml
628 ID GENERATORS
630 Following ID generators are available:
631 · md5 - generates 32 character long hexadecimal string. Requires
633 Digest::MD5. Full name: CGI::Session::ID::md5.
634 · incr - generates incremental session ids.
636 · static - generates static session ids. CGI::Session::ID::static
638
640 CGI::Session evolved to what it is today with the help of following
641 developers. The list doesn't follow any strict order, but somewhat
642 chronological. Specifics can be found in Changes file
643 Andy Lester
645 Brian King <mrbbking@mac.com>
646 Olivier Dragon <dragon@shadnet.shad.ca>
647 Adam Jacob <adam@sysadminsith.org>
648 Igor Plisco <igor@plisco.ru>
649 Mark Stosberg
650 Matt LeBlanc <mleblanc@cpan.org>
651 Shawn Sorichetti
652
654 Copyright (C) 2001-2005 Sherzod Ruzmetov <sherzodr@cpan.org>. All
655 rights reserved. This library is free software. You can modify and or
656 distribute it under the same terms as Perl itself.
657
659 You can see what the developers have been up to since the last release
660 by checking out the code repository. You can browse the Subversion
661 repository from here:
662 http://svn.cromedome.net/repos/CGI-Session
664 Or check it directly with "svn" from here:
666 https://svn.cromedome.net/repos/CGI-Session
668
670 If you need help using CGI::Session consider the mailing list. You can
671 ask the list by sending your questions to
672 cgi-session-user@lists.sourceforge.net .
673 You can subscribe to the mailing list at
675 https://lists.sourceforge.net/lists/listinfo/cgi-session-user .
676 Bug reports can be submitted at
678 http://rt.cpan.org/NoAuth/ReportBug.html?Queue=CGI-Session
679
681 Sherzod Ruzmetov <sherzodr@cpan.org>, http://author.handalak.com/
682 Mark Stosberg became a co-maintainer during the development of 4.0.
684 "markstos@cpan.org". Ron Savage became a co-maintainer during the
685 development of 4.30. "rsavage@cpan.org".
686
688 · CGI::Session::Tutorial - extended CGI::Session manual
689 · RFC 2965 - "HTTP State Management Mechanism" found at
691 ftp://ftp.isi.edu/in-notes/rfc2965.txt
692 · CGI - standard CGI library
694 · Apache::Session - another fine alternative to CGI::Session
696perl v5.16.3 2014-06-10 CGI::Session(3)