A session is a hash of keys/values that is persistent between web site visits of a single visitor. Session values that are set on one request will persist, and be available on subsequent requests. Sessions are therefore excellent ways to preserve state, track identity, and cache useful information about the visitor.
ExSite::Session uses ExSite::Store for low-level session data
storage. That means that session expiry, session garbage collection,
and session validation are handled automatically by the data store.
Every user who is maintaining a session has a session ID or session key. This value is stored in a cookie, so the user must accept this cookie to benefit from session management.
The session key is only created when you write data to the session. If the user has never recorded any session data, they will not have a session key, nor will they have received a session cookie.
The session key is an MD5 hash of originating IP, browser signature, the current time, and a random number. It should be very hard to guess, allowing session data to remain reasonably secure, and suitable for authentication purposes (ie. once the user has been authenticated, their mere knowledge of their session ID can be taken as proof of identity). ExSite supports a ``session'' authentication method, which does this automatically.
The session lifetime depends on the lifetime of items in the store. By default this is 1 hour maximim idle time. Sessions are renewed when they are used, so the total session lifetime is indefinite if the time between activity is less than 1 hour in each case.
Session data can be found in the global %session hash. which should
be automatically populated at system initialization. Simply use this
hash as a normal perl hash to read session values.
To save data to the session table, simply add or change keys/values in
the %session hash. They will automatically be saved for future
requests.
Session management is not enabled by default. That is because the
underlying storage engine is not enabled by default, for reasons noted
in its documentation. If you are not using a persistent data store,
then session data will not persist across requests. There is no harm
in using %session like a normal hash in this case, but it will be
cleared after each request, like %share, so will not be especially
useful.
To enable session management, you must enable persistent storage. See
the documentation for ExSite::Store for details. If persistent
storage is working, then session management should also work.
Use the StoreAdm plug-in to inspect items in the persistent data
store. Sessions are prefixed with ``session:''. Click on the
inspect links to view the contents of a session, or the delete links
to manually terminate the session.