Developers > Kernel Documentation > Fundamentals >

ExSite Session Management

A session is a hash of keys/values that is persistent between web site visits of a single visitor. Session values that are set on one request will persist, and be available on subsequent requests. Sessions are therefore excellent ways to preserve state, track identity, and cache useful information about the visitor.

ExSite::Session uses ExSite::Store for low-level session data storage. That means that session expiry, session garbage collection, and session validation are handled automatically by the data store.

Session Key

Every user who is maintaining a session has a session ID or session key. This value is stored in a cookie, so the user must accept this cookie to benefit from session management.

The session key is only created when you write data to the session. If the user has never recorded any session data, they will not have a session key, nor will they have received a session cookie.

The session key is an MD5 hash of originating IP, browser signature, the current time, and a random number. It should be very hard to guess, allowing session data to remain reasonably secure, and suitable for authentication purposes (ie. once the user has been authenticated, their mere knowledge of their session ID can be taken as proof of identity). ExSite supports a ``session'' authentication method, which does this automatically.

Session Lifetime

The session lifetime depends on the lifetime of items in the store. By default this is 1 hour maximim idle time. Sessions are renewed when they are used, so the total session lifetime is indefinite if the time between activity is less than 1 hour in each case.

Fetching and Saving Session Data

Session data can be found in the global %session hash. which should be automatically populated at system initialization. Simply use this hash as a normal perl hash to read session values.

To save data to the session table, simply add or change keys/values in the %session hash. They will automatically be saved for future requests.

Enabling Session Management

Session management is not enabled by default. That is because the underlying storage engine is not enabled by default, for reasons noted in its documentation. If you are not using a persistent data store, then session data will not persist across requests. There is no harm in using %session like a normal hash in this case, but it will be cleared after each request, like %share, so will not be especially useful.

To enable session management, you must enable persistent storage. See the documentation for ExSite::Store for details. If persistent storage is working, then session management should also work.

Inspecting Session Contents

Use the StoreAdm plug-in to inspect items in the persistent data store. Sessions are prefixed with ``session:''. Click on the inspect links to view the contents of a session, or the delete links to manually terminate the session.