We've just launched the first mod_perl site I've ever designed. It's all going very well so far but I'm sure there are some things worth improving. I wonder if anyone might have suggestions about this scenario:
I want to add the session id to the access log entries. This example: http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlLogHandler shows how to write to a different logfile but I want to write to whatever would be the normal access log for whatever VirtualHost it's in. We've only got a PerlResponseHandler now but I think this should probably go in a PerlLogHander. What's the best way to go about this? We're very interested in tracking long-term user browsing behavior and so we set one persistent cookie with a session key at each request if there's no cookie or if the existing cookie is obsolete (user logged in, logged out, more than 1 hour since last access, 12 since last visit, IP changed, or user agent changed.) If, when a new session id is created there is an existing (but obsolete) session cookie then the obsolete one is stored in the sessions table as the previous session key. I've tried to follow the philosophy that Randal Schwartz described in a recent thread here - a cookie is just a serial number for a browser. By rotating the cookies often we're hoping to avoid problems with stolen or leaked sessions and by storing the previous session id (if there is one) with every new session we're planning to be able to build a linked list of session activity which we can correlate with specific users who log in at any part of that linked list.
