A web database forum type technical question

OK, people are asking SQL questions now so I'm not afraid to pick anyone's brains who's willing to help me (I've already tried usenet with no luck).

I have a lot of experience setting up web interfaces to relational databases but for the first time I have to set up something very much like the DU forum. I have to allow users to register with a login and password and save data to an "account". Eeeek, I have no idea how to do this! We're not storing credit card numbers or other personal info but still I'd like it to be as secure as possible since it seems like hackers flood our sites trying to break in nowdays. Our logs are filled with crazy stunts. Thank god I managed to get us out of IIS hell and into something sensible like Apache. Woah, that's a mightmare I'm glad is over.

Anyway, I know I store the login and password encrypted within the database. The user fills in a form, I check to see if there's already a user with the same name, if not I add a new record to the database keyed to the username and store the encrypted password. I'm fuzzy on the details but I imagine I can handle this.

But here's where I'm confused. How do you keep track of the session? In a stateless environment, how do I check that the user is authorized everytime they click something to view their data, edit it, browse it, etc.? I suppose you do it with cookies somehow? Is that relatively safe? Exactly what is the form of the cookie? Is it generated randomly, or what?

Any bulletin board specialists care to give me a bit of advice? Sorry for the selfish post but bosses are beginning to breathe down my neck and I'm desperate!

As a former e-commerce guy, I used both cookie and session values. Cookies are fine if your users are willing to have them put on their drives. Otherwise, most web languages support sessions of some sort or another. We were doing sites in ASP, so we could create as many session variables as we needed and just check them from page to page. They are the equivalent to global variables in Win32 applications. Encrypted session values are even better. The downside to session values is memory. The more users and values you are storing in memory, the more memory you need on the server.

Later,
JM

Using session variables allows you to maintain state from any page to any page, without resorting to kluges like hidden fields.

One of the problems with session variables occurs when you use a load balancer (like BigIP) that can bounce users back and forth between boxes in a server farm. In this case, you need to force persistance on the load balancer (keep user x on web box y) or store the variables somehow ... cookies on the client, or a back-end DB are options.

...check out the code in tipped cow's message board

http://www.infuseum.com/tippedcow/content/filedownload.asp?what=aspboardtrial.zip

This has the backgroups ASP pages so if you are using ASP, you will be able to follow it...

I figured sessions was one way to do it, and probably more reliable than cookies. Unfortunately I'm not using ASP, or JSP, or DBI, or any of the more common database frameworks. I'm using a homegrown perl + ADO solution that works very well for us because it's designed to do exactly what we need and we can set up a new application in less than an hour. Plus it's, Wow, lightning fast. 99% of the discussions on sessions I have seen involved ASP so it's been hard to try and translate into something more generic.

Any information you can shed on generic session solutions for an Apache web application? Something not tied specifically to ASP or another framework?