How to delete a session in cgi-perl?

Question

I have a perl-cgi script through which I am trying to log in.

When the UserName and password are valid, I create a session and redirect a cookie to another page.

However, after the session expires(I have set the expiration time), I do not see it get deleted from the /tmp/sessions folder in this case. I have used the command to delete the session as well.

Can someone help me to delete the session once it expires? Also, does the cookie expire once the session is deleted?

        use CGI::Session;
        use CGI::Session::Tutorial;
        use CGI::Session::Driver::file; 
        use CGI::Cookie;

        my $session = new CGI::Session("driver:File", undef, {Directory=>"/tmp/sessions"});         
        my $sid = $session->id();           
        #my $cookie = $query->cookie(CGISESSID => $session->id);
        my $cookie = $query->cookie(-name=>"CGISESSID",
                        -value=>$session->id,
                        -domain=>'abc.com',
                        -expires=>"+5m",
                        -path=>"/");

        print $query->redirect(-uri => 'http://abc.cgi', -cookie => $cookie);
        $session->param("UserName", $loginUserName);
        $query->hidden( 'UserName', $loginUserName );

        $session->expire("UserName",'1m');
        $session->expire('+5m'); 
        $session->delete();

Answer 1

To avoid confusion with ->delete, I'm going to use the word "remove" instead of "delete" to refer to the removal of the session from storage.

---

Can someone help me to delete the session once it expires?

The removal doesn't happen when the session expires. That would require having a continually running process. Furthermore, at no point does CGI::Session scan storage for expired sessions; that would take too long since it would require loading each and every session. Instead, CGI::Session only removes expired sessions when you try to load them.

#!/usr/bin/perl
use strict;
use warnings qw( all );
use feature qw( say );

use CGI::Session               qw( );
use CGI::Session::Driver::file qw( );

my $session_id;   # This represents the browser's cookie.

# These represent requests made the by the browser.
for my $request_num (1..3) {
   my $session = CGI::Session->new("driver:file", $session_id, { Directory => "/tmp/sessions" });
   $session->expire("1s");
   $session_id = $session->id;  # This represents setting the browser's cookie.

   say "$request_num: ", $session->id;
   say "$request_num: ", $session->param("foo") // "[undef]";
   $session->param("foo" => "bar");

   # This represents time passing by before the third request.
   if ($request_num == 2) {
      say "Letting session expire...";
      sleep(2);
   }   
}

Output:

$ ./a
1: c57ab28952c6ed422c15f1a223f4b45d
1: [undef]
2: c57ab28952c6ed422c15f1a223f4b45d
2: bar
Letting session expire...
3: df8ba3b66f23a9a2a652520fa6b4c30b
3: [undef]

$ ls -1 /tmp/sessions
cgisess_df8ba3b66f23a9a2a652520fa6b4c30b

If you want to prevent files from accumulating on your drive, create a cron job that deletes old files.

find /tmp/sessions -mindepth 1 -maxdepth 1 -mtime 7 -delete

---

Also, does the cookie expire once the session is deleted?

No, the cookie expires when you tell it to expire. The thing is, it doesn't matter if the browser's cookie expires or not. For the second argument of new, there's no difference between passing undef, passing the id of a deleted session and passing the id of an expired session; you'll get a new session in all three cases. If anything, it's actually better if it doesn't expire as soon as the session expires because this allows the session to be removed (as demonstrated above).

---

How to delete a session in cgi-perl?

$session->delete is indeed the way to go, but the actual removal only happens when you would save (flush) the session.

$session->delete();
$session->flush();  # Or let `$session` get destroyed.

Answer 2

As the documentation notes

delete()

Sets the objects status to be "deleted". Subsequent read/write requests on the same object will fail. To physically delete it from the data store you need to call flush(). CGI::Session attempts to do this automatically when the object is being destroyed (usually as the script exits), but see "A Warning about Auto-flushing". (emphases mine)

You go on to ask:

Also, does the cookie expire once the session is deleted?

Of course not. You already sent a cookie to the user's browser with an expiration time of five minutes in the future. The cookie will expire then.

If, in the mean time, you have forced the expiration of the session on the server, the user's browser will still send the previously received cookie. Your application will just not find a session corresponding to the session identifier stored in the cookie.

You really need to understand the HTTP request/response cycle before taking one more step.

Answer 3

Per the CGI::Session documentation, deleteing a session "Sets the objects status to be "deleted". Subsequent read/write requests on the same object will fail. To physically delete it from the data store you need to call flush()." (emphasis mine)

Also, per the CGI::Session::Tutorial, "Expiring a session is the same as deleting it via delete(), but deletion takes place automatically." It is not necessary (or useful) to delete a session after it has expired.