New session with already existing id & reuse dbh for session db

[Robert <ro...@robert.cz>]

Hi,

  Q1: I want to give user a possibility to access his session data even
after browser change etc, so I could check username/password and send
him back cookie/url with his old session id. How can this be done in
Embperl? 

  Q2: How can I reuse existing db connection? The Apache::DBI hint
doesn't work for me because I can't use Apache::DBI (need to connect to
different databases for different virtual hosts). Is there some
possibility to set say $HTML::Embperl::...::SessionDBH to my already
open dbh? or use some $req_rec->pnotes trick?

  Thanks

- Robert

---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org

Re: New session with already existing id & reuse dbh for session db

[Gerald Richter <ri...@ecos.de>]

>
> I can iterate the username list in the application myself (as a matter
> of fact I have a reverse lookup table with user names and user sessions
> already for other reasons) but I don't know what to do when I've got the
> right session id. I could send the cookie manually but it seems
> stupid... Maybe I'm not clear enough, here's the (pseudo)code
>
> [$ if ($udat{username}) $]
> Hi, [+ $udat{username} +]
> [$ elsif ($fdat{username} || $fdat{password}) $]
> [- $session_id = find_session_id($fdat{username}, $fdat{password}) -]
> [$ if ($session_id) $]
> ...

You could try (untested):

[- tied(%udat) -> setid ($session_id) -]

> [$ else $]
> Invalid username or password
> [$ endif $]
> [$ endif $]
>
>
....
>
> I don't understand. Apache::DBI's persistent connection feature would
> lead to several Postgres childs per one Apache child which is clearly
> wrong. Are you referring to some other Apache::DBI feature? Looking
> right now at the docs but I don't see anything relevant...
>

Apache::DBI keeps a handle for any different connect string, so
dbi:Pg:dbname=x and dbi:Pg:dbname=y will keep two database handles open.
Just look at the source...

>
> Different virtual host have different session needs.

Yes, that's true. Originaly there was only one session object for
performance reasons. I agree that it is a good idea to have different
session setups and this will come one time, but at the moment I don't have
the time to implement it :-(

Gerald

-------------------------------------------------------------
Gerald Richter    ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de         Voice:    +49 6133 925131
WWW:        http://www.ecos.de      Fax:      +49 6133 925152
-------------------------------------------------------------



---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org

Re: New session with already existing id & reuse dbh for session db

[Robert <ro...@robert.cz>]

Gerald Richter wrote:
> 
> >   Q1: I want to give user a possibility to access his session data even
> > after browser change etc, so I could check username/password and send
> > him back cookie/url with his old session id. How can this be done in
> > Embperl?
> >
> At the moment I don't see a direct possibility. You could store the usename
> in the session data and iterate over all session to figure out the right
> one, but at the moment Apache::Session/SessionX doesn't have the possibility
> to iterate over all sessions. Also this would be nice to have.
> 
> I plan to build to possibility into 1.3.4 to use the username as session id.
> Of course the username must be know to use session data in this case.

I can iterate the username list in the application myself (as a matter
of fact I have a reverse lookup table with user names and user sessions
already for other reasons) but I don't know what to do when I've got the
right session id. I could send the cookie manually but it seems
stupid... Maybe I'm not clear enough, here's the (pseudo)code

[$ if ($udat{username}) $]
	Hi, [+ $udat{username} +]
[$ elsif ($fdat{username} || $fdat{password}) $]
	[- $session_id = find_session_id($fdat{username}, $fdat{password}) -]
	[$ if ($session_id) $]
		... 
		now I know session id and I need to send the sesioon token to the
user's browser 
		if I send cookie manually, it'll break when I switch to url-rewriting
etc
		...
	[$ else $]
		Invalid username or password
	[$ endif $]
[$ endif $]


> >   Q2: How can I reuse existing db connection? The Apache::DBI hint
> > doesn't work for me because I can't use Apache::DBI (need to connect to
> > different databases for different virtual hosts). Is there some
> > possibility to set say $HTML::Embperl::...::SessionDBH to my already
> > open dbh? or use some $req_rec->pnotes trick?
> >
> Apache::DBI handles multiple databases (also multiple usernames) correctly.
> So this should work with Apache::DBI

I don't understand. Apache::DBI's persistent connection feature would
lead to several Postgres childs per one Apache child which is clearly
wrong. Are you referring to some other Apache::DBI feature? Looking
right now at the docs but I don't see anything relevant...

> If you want to have different DB's for session handling, then you have a
> problem. Embperl currently only supports one session setup for the whole
> server. You can use different EMBPERL_COOKIE_NAME settings, to make sure
> your different virtual host, doesn't share the same session.

Different virtual host have different session needs. One has a lot of
short-term sessions so I have to remove old ones quite often, another
one have long-term sessions only that should never get removed. I
thought having a DB per virtual host would just be more secure but it's
not critical, I'll just have to be more carefull when coding the delete
subroutine ;-) When I'm thinking about several programmers deleting
their applications' old sessions only... from the same table... someone
is going to make a mistake sonner or later.

On the other hand the virtual hosts that need database AND sessions will
still need to connect twice. If I put a session table to every database
I have both security and performance benefits.

- Robert

---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org

Re: New session with already existing id & reuse dbh for session db

[Gerald Richter <ri...@ecos.de>]

Hi,
>
>   Q1: I want to give user a possibility to access his session data even
> after browser change etc, so I could check username/password and send
> him back cookie/url with his old session id. How can this be done in
> Embperl?
>

At the moment I don't see a direct possibility. You could store the usename
in the session data and iterate over all session to figure out the right
one, but at the moment Apache::Session/SessionX doesn't have the possibility
to iterate over all sessions. Also this would be nice to have.

I plan to build to possibility into 1.3.4 to use the username as session id.
Of course the username must be know to use session data in this case.

>   Q2: How can I reuse existing db connection? The Apache::DBI hint
> doesn't work for me because I can't use Apache::DBI (need to connect to
> different databases for different virtual hosts). Is there some
> possibility to set say $HTML::Embperl::...::SessionDBH to my already
> open dbh? or use some $req_rec->pnotes trick?
>

Apache::DBI handles multiple databases (also multiple usernames) correctly.
So this should work with Apache::DBI

If you want to have different DB's for session handling, then you have a
problem. Embperl currently only supports one session setup for the whole
server. You can use different EMBPERL_COOKIE_NAME settings, to make sure
your different virtual host, doesn't share the same session.

Gerald


-------------------------------------------------------------
Gerald Richter    ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de         Voice:    +49 6133 925131
WWW:        http://www.ecos.de      Fax:      +49 6133 925152
-------------------------------------------------------------




---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org