You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Tracy12 <j_...@yahoo.com> on 2007/01/17 23:24:08 UTC
Session Handling/Set Session attributes
Hi,
My perl authentication handler works fine BUT the biggest problem inside my
Auth handler I do some resource intenstive tasks and if everything
successful set the REMOTE_USER env variable.
But for the subsequent requests from the same user (after the initial
Authentication is successful) how can I bypass these resource intensive
tasks because the user already been authenticated (but I need REMOTE_USER
value for subsequent request
My suggestions
1) After initial Authentication set a session attribute (my_remote_user)
with the value REMOTE_USER, in subsequent requests check this attribute is
there and return OK, without going further
Question -> How does the session handling supported in mod_perl, how can
I retrieve the user session and set variables like that,
2)Does mod_perl supports in such a way that for subsequent requests the user
has authenticated and hence gives the value of the remote user.
Currently my Auth handler does the all the tasks inside the authentication
handler, which might be a performance killer
thanks
--
View this message in context: http://www.nabble.com/Session-Handling-Set-Session-attributes-tf3030824.html#a8420979
Sent from the mod_perl - General mailing list archive at Nabble.com.
Re: Session Handling/Set Session attributes
Posted by Tracy12 <j_...@yahoo.com>.
Apache::AuthCAS module on CPAN does not support OPEN SSL also it creates
database tables to store data, we tried it on Apache 2.2 with mod_perl 2.0
it failed. We need only a serviceValidate from CAS not other functions.
mod_cas looks ok but does not supports Apache 2.2
We have almost finish our authentication module, infact it works, But only
thing is we are working on how to cache things as I am dealing wiht the
forum. If we know how to resolve this subsequent requests without doing the
Authentication logic all over we are done.
Thanks
Perrin Harkins wrote:
>
> On Wed, 2007-01-17 at 14:50 -0800, Tracy12 wrote:
>> What about the security measures if we store authenticated user
>> information
>> in a cookie,
>>
>> Cant we handle in the server session and and store it as a session
>> variable.
>> This would be much secure?
>
> Have you looked at the Apache::AuthCAS module on CPAN?
> http://search.cpan.org/dist/Apache-AuthCAS/
>
> It seems to already support the use of session cookies.
>
> The various mod_cas modules that Google turns up also seem to support
> local caching of some kind. I don't mean to discourage you from writing
> your own if you want to learn mod_perl, but if you just want to get
> something working, using those might be faster.
>
> Regarding your earlier question about using basic auth with something
> like mod_cas, you can configure your 401 ErrorDocument to be a mod_perl
> handler which redirects to anything you want. So, I believe you could
> use mod_cas if you choose to.
>
> - Perrin
>
>
>
--
View this message in context: http://www.nabble.com/Session-Handling-Set-Session-attributes-tf3030824.html#a8422921
Sent from the mod_perl - General mailing list archive at Nabble.com.
Re: Session Handling/Set Session attributes
Posted by Perrin Harkins <pe...@elem.com>.
On Wed, 2007-01-17 at 14:50 -0800, Tracy12 wrote:
> What about the security measures if we store authenticated user information
> in a cookie,
>
> Cant we handle in the server session and and store it as a session variable.
> This would be much secure?
Have you looked at the Apache::AuthCAS module on CPAN?
http://search.cpan.org/dist/Apache-AuthCAS/
It seems to already support the use of session cookies.
The various mod_cas modules that Google turns up also seem to support
local caching of some kind. I don't mean to discourage you from writing
your own if you want to learn mod_perl, but if you just want to get
something working, using those might be faster.
Regarding your earlier question about using basic auth with something
like mod_cas, you can configure your 401 ErrorDocument to be a mod_perl
handler which redirects to anything you want. So, I believe you could
use mod_cas if you choose to.
- Perrin
Re: Session Handling/Set Session attributes
Posted by Frank Wiles <fr...@wiles.org>.
On Wed, 17 Jan 2007 16:11:17 -0800 (PST)
Tracy12 <j_...@yahoo.com> wrote:
>
> Well does this all mean there is limited features to do session
> handling on mod_perl. Well I am new to mod_perl but in JAVA/Servlet
> you can do a simple thing like this
>
> request.getSession().setAttribute("my_remote_user",<uid of the
> authenticated
> user>);
> for subsequent requests we can retrieve this attribute and do what we
> want. I expected similar session handleing feature availabe in
> mod_perl as this is a common requirement.
This is essentially what Apache::Session does for you.
---------------------------------
Frank Wiles <fr...@wiles.org>
http://www.wiles.org
---------------------------------
Re: Session Handling/Set Session attributes
Posted by Perrin Harkins <pe...@elem.com>.
Tracy12 wrote:
> Can I know how can I install the above module(CGI::Session) to my system.
There is lots of good documentation about installing perl modules. You
can read the perlmodinstall man page. You can pick up a good book like
"Intermediate Perl." There is a discussion about CPAN modules in the
Perl FAQ, available in the perlfaq man page or on the web here:
http://perldoc.perl.org/perlfaq2.html#What-modules-and-extensions-are-available-for-Perl%3f--What-is-CPAN%3f--What-does-CPAN%2fsrc%2f...-mean%3f
When you have general questions about perl that are not specific to
mod_perl, a good place to ask is the perl-beginners mailing list:
http://lists.cpan.org/showlist.cgi?name=beginners
I know it's not always obvious which questions are about mod_perl and
which are general perl questions. If you're not sure, it's fine to ask.
- Perrin
Re: Session Handling/Set Session attributes
Posted by Tracy12 <j_...@yahoo.com>.
CGI::Session looks like it gives a good abstraction.
I used use CGI::Session; in my code and came up with the error failed to
resolve handler `AuthCAS->authen_handler': Can't locate CGI/Session.pm in @
I am using fedora core 5 with Apache 2.2 with mod_perl 2.x
Can I know how can I install the above module(CGI::Session) to my system.
Thanks
Perrin Harkins wrote:
>
> On Wed, 2007-01-17 at 16:11 -0800, Tracy12 wrote:
>> Well does this all mean there is limited features to do session handling
>> on
>> mod_perl.
>
> Concepts like sessions are not built into mod_perl. They are
> implemented separately by modules that you can find on CPAN, like
> Apache::Session, which was suggested to you earlier. My preferred
> module for sessions these days is CGI::Session, which also works with
> mod_perl.
>
> If you want to use sessions, you can read the documentation for these
> modules on http://search.cpan.org/.
>
> - Perrin
>
>
>
--
View this message in context: http://www.nabble.com/Session-Handling-Set-Session-attributes-tf3030824.html#a8423735
Sent from the mod_perl - General mailing list archive at Nabble.com.
Re: Session Handling/Set Session attributes
Posted by Perrin Harkins <pe...@elem.com>.
On Wed, 2007-01-17 at 16:11 -0800, Tracy12 wrote:
> Well does this all mean there is limited features to do session handling on
> mod_perl.
Concepts like sessions are not built into mod_perl. They are
implemented separately by modules that you can find on CPAN, like
Apache::Session, which was suggested to you earlier. My preferred
module for sessions these days is CGI::Session, which also works with
mod_perl.
If you want to use sessions, you can read the documentation for these
modules on http://search.cpan.org/.
- Perrin
Re: Session Handling/Set Session attributes
Posted by Jonathan Vanasco <mo...@2xlp.com>.
On Jan 17, 2007, at 7:11 PM, Tracy12 wrote:
>
> Well does this all mean there is limited features to do session
> handling on
> mod_perl. Well I am new to mod_perl but in JAVA/Servlet you can do
> a simple
> thing like this
>
> request.getSession().setAttribute("my_remote_user",<uid of the
> authenticated
> user>);
> for subsequent requests we can retrieve this attribute and do what
> we want.
> I expected similar session handleing feature availabe in mod_perl
> as this is
> a common requirement.
>
> "store the user info on the lan, mapped to the id in the cookie" is
> something which we need to think, Isnt there a easy way to store
> information
> on user session.
>
> Other doubt that we have is Because the user successful in his first
> Authentication, Isnt there a way to retrieve the remote_user
> variable in the
> subsequent requests (I may be wrong as well all new to this).
you use Apache::Session or CGI::Session to do that transparently.
your java servelet example seems to be using a framework, while
mod_perl is a platform.
you might be wanting to use something like catalyst which can run on
modperl and has the facilities to do what you want built in.
session handling isn't built into mod_perl, because that would lock
people into a certain way. instead you use either Apache::Session or
CGI::Session, or one of the numerous variants.
They all use the same model:
session id comes from client cookie
session id loads / saves a session variable to your LAN. either on
the same machine in a file, or on a database on your local network
> request.getSession().setAttribute("my_remote_user",<uid of the
> authenticated
> user>);
that is very likely just wrapping several functions in one line.
request.getSession() probably wraps a routine to get session id based
on some client cookie value
// Jonathan Vanasco
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder
| Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
Re: Session Handling/Set Session attributes
Posted by Tracy12 <j_...@yahoo.com>.
Well does this all mean there is limited features to do session handling on
mod_perl. Well I am new to mod_perl but in JAVA/Servlet you can do a simple
thing like this
request.getSession().setAttribute("my_remote_user",<uid of the authenticated
user>);
for subsequent requests we can retrieve this attribute and do what we want.
I expected similar session handleing feature availabe in mod_perl as this is
a common requirement.
"store the user info on the lan, mapped to the id in the cookie" is
something which we need to think, Isnt there a easy way to store information
on user session.
Other doubt that we have is Because the user successful in his first
Authentication, Isnt there a way to retrieve the remote_user variable in the
subsequent requests (I may be wrong as well all new to this).
Thanks
Jonathan Vanasco-5 wrote:
>
>
> On Jan 17, 2007, at 5:50 PM, Tracy12 wrote:
>
>>
>> What about the security measures if we store authenticated user
>> information
>> in a cookie,
>>
>> Cant we handle in the server session and and store it as a session
>> variable.
>> This would be much secure?
>
> you store a session id in a cookie
>
> you store the user info on the lan, mapped to the id in the cookie
>
> you can use checksum cookies and other stuff to mitigate cookie spoofing
>
>
>
>
>
> // Jonathan Vanasco
>
> | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - - - - - - - -
> | FindMeOn.com - The cure for Multiple Web Personality Disorder
> | Web Identity Management and 3D Social Networking
> | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - - - - - - - -
> | RoadSound.com - Tools For Bands, Stuff For Fans
> | Collaborative Online Management And Syndication Tools
> | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - - - - - - - -
>
>
>
>
--
View this message in context: http://www.nabble.com/Session-Handling-Set-Session-attributes-tf3030824.html#a8422602
Sent from the mod_perl - General mailing list archive at Nabble.com.
Re: Session Handling/Set Session attributes
Posted by Jonathan Vanasco <mo...@2xlp.com>.
On Jan 17, 2007, at 5:50 PM, Tracy12 wrote:
>
> What about the security measures if we store authenticated user
> information
> in a cookie,
>
> Cant we handle in the server session and and store it as a session
> variable.
> This would be much secure?
you store a session id in a cookie
you store the user info on the lan, mapped to the id in the cookie
you can use checksum cookies and other stuff to mitigate cookie spoofing
// Jonathan Vanasco
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder
| Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
Re: Session Handling/Set Session attributes
Posted by Tracy12 <j_...@yahoo.com>.
What about the security measures if we store authenticated user information
in a cookie,
Cant we handle in the server session and and store it as a session variable.
This would be much secure?
Robert Landrum wrote:
>
> Tracy12 wrote:
>> My perl authentication handler works fine BUT the biggest problem inside
>> my
>> Auth handler I do some resource intenstive tasks and if everything
>> successful set the REMOTE_USER env variable.
>>
>> But for the subsequent requests from the same user (after the initial
>> Authentication is successful) how can I bypass these resource intensive
>> tasks because the user already been authenticated (but I need REMOTE_USER
>> value for subsequent request
>>
>
> I would use Apache::Session and store a cookie that says that this user
> is authenticated. The session would include to be set for REMOTE_USER.
> The user would only get the session cookie if they had successfully
> authenticated.
>
> It should work fine and will likely solve your performance problem.
>
> Rob
>
>
--
View this message in context: http://www.nabble.com/Session-Handling-Set-Session-attributes-tf3030824.html#a8421325
Sent from the mod_perl - General mailing list archive at Nabble.com.
Re: Session Handling/Set Session attributes
Posted by Robert Landrum <rl...@aol.net>.
Tracy12 wrote:
> My perl authentication handler works fine BUT the biggest problem inside my
> Auth handler I do some resource intenstive tasks and if everything
> successful set the REMOTE_USER env variable.
>
> But for the subsequent requests from the same user (after the initial
> Authentication is successful) how can I bypass these resource intensive
> tasks because the user already been authenticated (but I need REMOTE_USER
> value for subsequent request
>
I would use Apache::Session and store a cookie that says that this user
is authenticated. The session would include to be set for REMOTE_USER.
The user would only get the session cookie if they had successfully
authenticated.
It should work fine and will likely solve your performance problem.
Rob