I'm having some difficulty thinking of the best solution for a login system. Basically I'm making a website with an arbritrary number of 'private' pages that may only be viewed if the user is authenticated. I'm looking into the following systems for authentication, but I'm curious what the de-facto standard seems to be. I'd like to shy away from cookies if possible...
Do you prefer to use sessions for state management? I'm having a bit of difficulty with logins/logouts and sessions (actually logouts). I'm using CGI/Perl, and been playing with the CGI::Session module all day. I like it, but I'm concerned with how to maintain state across pages. It looks like my options are:
o hidden form data (POST data)
o query string passing (GET data)
Which do you use? Is there any other type of authentication (I was looking a bit at Apache, how is this?). At the current moment, I'm just using a plain text file for my authentication, and cookies are working pretty well. I think POST data seems a bit better, but probably more difficult to implement across many pages. I still havent thought of a good way of implementing it cleanly.
Another question, sorry. Lets say your using a session system to keep users logged in across pages. Is it a web standard to have some variable like... $_USER_LOGGED_IN or something similiar? I've been adding the username to the session, and comparing if its not a null string. I kind of make the assumption that the users logged in if ($session->param('username') ne ""). I dont particularly like this solution but I probably dont know enough about sessions yet.