Handling sessions in Mojolicious

I'm a person who has never made a web application properly, so I'm afraid about the security of web applications. Mojolicious has a method called session, and I believed that this was session management in a web application, but I felt that it had nothing to do with it.

It's likely that I was misunderstanding because of the name of the method called session. Mojolicious's session management function is said to be poor, but I've been wondering if Mojolicious doesn't have a session management function in the first place.

The session method is a simple mechanism for simply storing the value in a cookie, and since it is signed by HMAC, tampering can be detected reliably.

$c->session(name =>'kimoto');

So the data stored in the cookie is just Base64 encoded JSON, not encrypted. Therefore, the data is completely visible.

However, because it is signed by HMAC, it can reliably detect tampering even through untrusted routes.

Even if you use the session method, it will not be encrypted. Falsification can be detected.

To prevent tampering, it is important to change the secret value properly, not the default setting.

$app->secret('#! =%JOLFIS # jf438nfj');

If it has been tampered with, the cookie value will be discarded.

What kind of data can be saved in session

The first is unimportant data that may be seen. Data that would be inconvenient to see should not be saved using the session method as it is not encrypted. Save the data that you don't want to see on the server side.

The second is the session ID. This is conditional and unique. It seems that security cannot be maintained once the session ID is reused.

So, in some module, use a module that will generate a session ID that will be unique to your application.

#Generation of session ID (uniqueness)
my $session_id = Some::Module->new->create_session_id;

#Save session ID in signed cookie
$c->session(session_id => $session_id);

# Data that may be seen may be saved in session
$c->session(display =>'light');

#For data that should not be seen, go to the database etc.
$dbi->insert({user_id => $user_id, age => 19});

Addition

The session can be stolen, but that's nothing more than storing the session ID in a cookie. Let's deal with this by setting a shorter session expiration date.

Save data to session

To save the data in the current session, use the session method of the Mojolicious::Controller class. You do not need to create a session ID because the session ID is issued automatically internally. If you save the data in the session, you can retrieve the saved data when requested by the same user.

#Save data
$c->session(name =>'Ken');
$c->session(age => 19);

#Getting data
my $name = $c->session('name');
my $age = $c->session('age');

Note that Mojolicious sessions are implemented using cookies, and the maximum cookie size is 4096 bytes. This means that you cannot store more bytes of data.

This is a sample of Mojolicious::Lite.

#Mojolicious::Lite
get'/' => sub {
  my $self = shift;
  $self->session(name =>'Ken');
};;

This is a sample of Mojolicious.

#Mojolicious
package MyApp::Login;

use Mojo::Base'Mojolicious::Controller';

sub default {
  my $self = shift;
  $self->session(name =>'Ken');
}

Discard the current session

To destroy the current session, set expires to "1" in the session method of the Mojolicious::Controller class.

$c->session(expires => 1);

This is a sample of Mojolicious::Lite. During the logout process, the session is destroyed and redirected to the URL "/ login".

#Mojolicious::Lite
get'/ logout' => sub {
  my $self = shift;
  $self->session(expires => 1);
  $self->redirect_to('/ login');
};;

This is a sample of Mojolicious.

#Mojolicious
package MyApp::Logout;

use Mojo::Base'Mojolicious::Controller';

sub default {
  my $self = shift;
  $self->session(expires => 1);
  $self->redirect_to('/ login');
}

Save data to flash

To save data to flash, use the flash method of the Mojolicious::Controller class. A flash is a session that is inherited only by the next request. It is used when you want to save the data only for the next request, for example when redirecting.

#Save data
$c->flash(name =>'Ken');
$c->flash(age => 19);

#Getting data
my $name = $c->flash('name');
my $age = $c->flash('age');

This is a sample of Mojolicious::Lite.

#Mojolicious::Lite
get'/' => sub {
  my $self = shift;
  $self->flash(name =>'Ken');
};;

This is a sample of Mojolicious.

#Mojolicious
package MyApp::Login;

use Mojo::Base'Mojolicious::Controller';

sub default {
  my $self = shift;
  $self->flash(name =>'Ken');
}

Associated Information