Jiho Noh Jiho Noh - 2 months ago 12
Perl Question

Perl CGI::Session permission issues

I have a website which runs in Perl cgi files. When a user logs in it creates a new session using Perl CGI::Session.

The problem comes from accessing two duplicated websites located under different user directories. For example, www.abc.edu/~AAA/project/ and www.abc.edu/~BBB/project/

These are exactly the same website on the same machine, so they share the same /tmp directory.

When I login to AAA's website (~AAA/project/*), it creates a session cookie on my
computer, in which the domain name is abc.edu. Then it creates session
information in /tmp directory which is owned by ‘AAA’, because the owner of the script is supposed to be 'AAA'.

Then if I access BBB's website (~BBB/project/*), it tries to use the session info
stored on my computer because the domain name is the same. However,
the session info stored in /tmp is owned by ‘AAA’, it cannot read or write the session information.

[edit] This is like A/B testing websites, and I agree that they should not share the sessions information.

I am thinking that the session information stored in /tmp should be readable and writable by anyone in this case to resolve the issues.

[edit] I realized the security issues that @simbabque pointed out, and also I found that -path parameter of session cookies can be used to differentiate those two groups of users. So now my question is what if I indeed want to use common authentication system between those two website, how can I share the session information without causing security issues? What is the typical way to handle in this A/B testing and shared authentication system? Thanks for your helps.


I was planning to write a long answer with an example application, but after rereading your comments and the question I think the answer is rather simple:

If you intend to use one login mechanism and the site's users are aware of this, then there is no security concern. It's being done all the time. A lot of systems today are made up of more then just one program to form one application, and they need to do that.

If the ownership of the files in the temp directory is a problem because the applications run as different system users, then simply don't use files as the session storage. Use a database or a key/value-store for example.

Or you could put both users into the same group and make the files group-read-writable. There are a lot of solutions here.