You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Greg Cope <gj...@rubberplant.freeserve.co.uk> on 2000/08/15 01:24:52 UTC

Session manager(s)-how to set an outbound session ?

Dear All

I'm writing a Session-Manager (transhandler) i.e deals with getting a
session id from cookies, uri, or query args, and sets one and redirects
if neccessary.  This is meant to compliment Apache::Session - in that
you use Apache::Session to store your session data.

Thanks to Mat and Eric (for the addhandler issue yesterday) I can:

- get a session from cookies, query args or via URI rewriting
- change the order of the last two (i.e look in uri first, query args
secound, or args first, uri secound).
- Only look in cookies, or args or uri.
- redirect if needed to set a session if none is found(default to one -
configurable to off) .
- match a uri to "session" i.e session-ing can be switched off for
certain uri's.
- store the session id / whether cookies are on / off in either pnotes
or $ENV{}
- debugging can be set for copious info on whats going on.

- Note there is no validation of the session - this just fetches the
session id, validating is up to other handlers.

- I'm adding in a check_cookie funtionality that will try to set a
cookie and then redirect to itself with a check in the URI, if no
session is found.

- lots of bonus unexplained funtionality .... aka bugs I'v not found or
fixed.

Much of the code is a rehash of the examples in Apache Modules in Perl &
C.

Now I want to deal with out-bound content/session ids - obviously
cookies are easy as these could just be set in the transhandler and a
ref placed in pnotes (and $ENV although I'm not sure on this bit as I've
not tried it).

But what to do with args or uri sessioning ?

If relative urls are used the session appears to be preserved in
netscape between different uri's (if using uri's).  This means I can do
reasonable transparent session handling with Cookies or URI mangling
(ignoring session id leakage at this point).  This works quite well (I
happy with it!).

Adding to the args of links is a different question - any one any clues
? 

I will either have to say that adding a session to your links if cookies
are off is your issue within your content handler, or find a way of
manipulating them - anyone any ideas ?

If anyone wants a peek I can send them the code or post it here if
there'ss demand.  Its my secound stab, and the logic/ style / efficiency
may leave something to be desired - constructive flames welcome!

The main aim/motivation is for a very simple ecommerce thing where
sessions are vital - and offsite/exterior links are few and exit points
want to be tracked - hence URI rewriting is acceptable and a redirector
is handy.  Transparent session handling is a "nice" design goal.

I may also throw in a redirector that will strip session args (if I can
get $r->args(undef) to work ....) and/or uri's (which can help with exit
tracking etc ...) before redirecting to the link to help with session
leaks.

Greg

Re: Session manager(s)-how to set an outbound session ?

Posted by Ken Williams <ke...@forum.swarthmore.edu>.
Bill Moseley wrote:
> FWIW -- I'm using a modified version of Ken Williams' Apache::AuthCookie to
> handle session control via cookies or munged URLs.  I originally wanted to
> use his custom login script instead of the pop-up browser login, but I had
> clients that don't have cookies enabled.  So I added the URL munge into
> AuthCookie.
[...]
> If anyone is interested, please let me know.  (Ken, are these features
> worth adding to AuthCookie?)

Quite possibly.  I'm away from my home turf now, but I'll take a look
when I get home.  Of course, having a module called AuthCookie that
doesn't necessarily use cookies might be a tad strange. =)


> BTW -- Why can't I use
> 
>     PerlTransHandler  Sample::AuthCookieHandler
> 
> instead of
> 
>     PerlTransHandler  Sample::AuthCookie
> 
> Shouldn't handler() be found in @ISA?

Probably because mod_perl is invoking your handler as a function and not
a method.  Does it work if you change it to
Sample::AuthCookieHandler->handler, or fix the prototype of the handler
subroutine to ($$)?

Re: Session manager(s)-how to set an outbound session ?

Posted by Bill Moseley <mo...@hank.org>.
At 11:24 PM 08/14/00 +0000, Greg Cope wrote:

>I'm writing a Session-Manager (transhandler) i.e deals with getting a
>session id from cookies, uri, or query args, and sets one and redirects
>if neccessary.  This is meant to compliment Apache::Session - in that
>you use Apache::Session to store your session data.

FWIW -- I'm using a modified version of Ken Williams' Apache::AuthCookie to
handle session control via cookies or munged URLs.  I originally wanted to
use his custom login script instead of the pop-up browser login, but I had
clients that don't have cookies enabled.  So I added the URL munge into
AuthCookie.

I realized that bypassing the Apache::AuthCookie login script that
AuthCookie was perfect (at least for my needs) for simple session
management.  

The only changes needed to the AuthCookie config are:

    # Enable URL munging
    PerlTransHandler  Sample::AuthCookie

    # Disable the login script requirement
    PerlSetVar WhatEverLoginScript NONE

If anyone is interested, please let me know.  (Ken, are these features
worth adding to AuthCookie?)

BTW -- Why can't I use 

    PerlTransHandler  Sample::AuthCookieHandler

instead of

    PerlTransHandler  Sample::AuthCookie

Shouldn't handler() be found in @ISA?




Bill Moseley
mailto:moseley@hank.org