You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by BeerBong <al...@samara.net> on 2002/01/28 10:31:49 UTC
Apache::AuthCookie not set cookie really
Hello all!
Odd thing - all should works fine.
I use Apache::AuthCookie for my project Agenda.
I wrote descendant - Apache::AuthCookieAgenda
------------------------------------------------
package Apache::AuthCookieAgenda;
use strict;
use Apache;
use Apache::Constants qw(:common);
use Apache::AuthCookie;
use Agenda;
use vars qw($VERSION @ISA);
$VERSION = substr(q$Revision: 1.1 $, 10);
@ISA = qw(Apache::AuthCookie);
sub authen_cred ($$\@) {
my $self = shift;
my $r = shift;
my @creds = @_;
# This would really authenticate the credentials
# and return the session key.
# Here I'm just using setting the session
# key to the credentials and delaying authentication.
#
# Similar to HTTP Basic Authentication, only not base 64 encoded
join(":", @creds);
}
sub authen_ses_key ($$$) {
my $self = shift;
my $r = shift;
my($user, $password) = split(/:/, shift, 2);
my $modeller = Agenda->new();
$r->warn("Auth - $user - $password");
# Authenticate use here...
$modeller->authorize($user, $password) eq "OK" ? $user : undef;
}
------------------------------------------------
In conf file
------------------------------------------------
<IfDefine power>
<Perl>
use lib qw(/usr/web/inc /usr/web/dev.webzavod.ru/modules);
use Apache::Agenda;
use Apache::AuthCookieAgenda;
</Perl>
PerlInitHandler Apache::Reload
PerlSetVar AuthCookieDebug 10
<Location /agenda/>
SetHandler perl-script
PerlHandler Apache::Agenda
PerlSetVar AgendaPath /agenda
PerlSetVar AgendaTemplate default.inc
PerlSetVar AgendaSessionDir /tmp
PerlSetVar AgendaLoginScript /agenda/login/
AuthType Apache::AuthCookieAgenda
AuthName Agenda
PerlAuthenHandler Apache::AuthCookieAgenda->authenticate
PerlAuthzHandler Apache::AuthCookieAgenda->authorize
require valid-user
</Location>
<Location /LOGIN/>
AuthType Apache::AuthCookieAgenda
AuthName Agenda
SetHandler perl-script
PerlHandler Apache::AuthCookieAgenda->login
</Location>
</IfDefine>
------------------------------------------------
when I'm trying to access /agenda/ files I get login page, but after
submit a form, I return to login page again.
In logs
------------------------------------------------
[Mon Jan 28 12:38:35 2002] [error] credential_0 asdasd
[Mon Jan 28 12:38:35 2002] [error] credential_1 asdasd
[Mon Jan 28 12:38:35 2002] [error] ses_key asdasd:asdasd
OUT Headers goes here
$VAR1 = 'Pragma';
$VAR2 = 'no-cache';
$VAR3 = 'Cache-control';
$VAR4 = 'no-cache';
$VAR5 = 'Location';
$VAR6 = '/agenda/tasks/';
Error OUT Headers goes here
$VAR1 = 'Set-Cookie';
$VAR2 = 'Apache::AuthCookieAgenda_Agenda=asdasd:asdasd';
$VAR3 = 'Pragma';
$VAR4 = 'no-cache';
Redirecting...
and next phase
[Mon Jan 28 12:38:35 2002] [error] auth_type Apache::AuthCookieAgenda
[Mon Jan 28 12:38:35 2002] [error] auth_name Agenda
[Mon Jan 28 12:38:35 2002] [error] ses_key_cookie
Cookie field is empty here - I don't know why...
Cookie is set via error headers, I know that it is correct for
REDIRECT responses...
ses_key_cookie is empty, therefore authen_ses_key not even requested,
redirecting to login form again.
[Mon Jan 28 12:38:35 2002] [error] uri /agenda/tasks/
[Mon Jan 28 12:38:35 2002] [error] auth_type Apache::AuthCookieAgenda
[Mon Jan 28 12:38:35 2002] [warn] Header Dump:
GET /agenda/tasks/ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/ms
word, */*
Accept-Encoding: gzip, deflate
Accept-Language: ru
Cache-Control: no-cache
Cookie: SESSION_ID=10000000_56535df97f6ed52c
I used Apache::Session::Counted, and know that this two modules may
conflict, but when all Apache::Session::Counted staff is commented
result is the same...
Host: warzavod:81
Referer: http://warzavod/agenda/tasks/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
Q312461)
X-Real-IP: 195.209.67.7
I dont know why cookie is not set.
Is there anywhere comparison table for
Apache::AuthCookie - Apache::AuthTicket
and table for
Apache::Session modules - I use Apache::Session::Counted as the single
not-database solution wich I found for maintaining state with cleanup
feature. Or is there anywhere cleanup example for Apache::Session - I
didn't find... Apache::Session::Lock::File->clean cleans up only lock
files...
Apache::ASP - has a good session state algorithm with cleanup...
--------------------------------------------
Sergey Polyakov aka "BeerBong"
Chief of WebZavod http://www.webzavod.ru
Tel. +7 (8462) 43-93-85 | +7 (8462) 43-93-86
mailto:alexei@samara.net
Re: Apache::AuthCookie not set cookie really
Posted by BeerBong <al...@samara.net>.
Skipped
> Actually, as my application should be
> 1. simple maintained,
> 2. maximum count of users - 100 (employees in small software
> development company)
> 3. simultaneous login - 5-7 maximum
> 4. team managers work with money (project budjet, employee's payment
> per hour and etc)
> 5. good session solutions require database access while all, what I
> want to store in sessions, can get from the same database with no
> great effort
>
> I've decided to use simplest authentication module kinda
> Apache::DBILogin and if someone need real security - SSL.
I meant Apache::AuthDBI of course
>
> Thank you
> --------------------------------------------
> Sergey Polyakov aka "BeerBong"
> Chief of WebZavod http://www.webzavod.ru
> Tel. +7 (8462) 43-93-85 | +7 (8462) 43-93-86
> mailto:alexei@samara.net
>
>
>
>
>
Re: Apache::AuthCookie not set cookie really
Posted by Michael Schout <ms...@gkg.net>.
> variable path=/agenda was omitted. Explorer 6.0 doesn't set cookie
> without path attribute.
> I think, it's a good idea to make WhatEverPath required option in
> config.
Hrm. I was not aware of that. Thanks for bringing it to my attention.
I have changed AuthCookie in CVS so that Path will be set to "/" unless the
path has been configured. This will allow people who have configurations that
dont specify the path to still use the new version without updating the config.
Feel free to grab the source from CVS and try it out at:
http://sourceforge.net/projects/ap-authcookie
Mike
Re: Apache::AuthCookie not set cookie really
Posted by BeerBong <al...@samara.net>.
> > <Location /agenda/>
> > SetHandler perl-script
> > PerlHandler Apache::Agenda
> >
> > PerlSetVar AgendaPath /agenda
> > PerlSetVar AgendaTemplate default.inc
> > PerlSetVar AgendaSessionDir /tmp
> > PerlSetVar AgendaLoginScript /agenda/login/
>
> Are you sure that last line is correct?
>
> That would send you to /agenda/login when authen_ses_key() fails,
but
> your config below is for /LOGIN/.
>
> > <Location /LOGIN/>
> > AuthType Apache::AuthCookieAgenda
> > AuthName Agenda
> > SetHandler perl-script
> > PerlHandler Apache::AuthCookieAgenda->login
> > </Location>
>
> This implies to me that you meant to have:
>
> PerlSetVar AgendaLoginScript /LOGIN/
>
> Is this just a typo?
>
> > I used Apache::Session::Counted, and know that this two modules
may
> > conflict, but when all Apache::Session::Counted staff is commented
> > result is the same...
>
> I dont think they conflict. I've not heard any reports of that
anyway.
> The cookie names are unique so there should be no problem there.
>
> > I dont know why cookie is not set.
>
> I'd suspect something isnt right with your configuration. Have you
> tried turning on "warn me before accepting cookies" on your browser?
> Sometimes that helps me verify that the cookies are actually making
it
> to the browser.
>
> What your trying to do looks to me like exactly the sort of thing
> AuthCookie can do. Unless I am misunderstanding your problem I
> dont see an AuthCookie limitation here. Please explain in more
> detail if I am missing the point and I will see what we can do if
> such a limitation does in fact exist :).
>
> Regards,
> Michael Schout (Apache::AuthCookie maintainer)
<Location /agenda/>
SetHandler perl-script
PerlHandler Apache::Agenda
PerlSetVar AgendaPath /agenda
PerlSetVar AgendaTemplate default.inc
PerlSetVar AgendaSessionDir /tmp
PerlSetVar AgendaLoginScript /agenda/login/
.....
</Location>
<Location /LOGIN/>
AuthType Apache::AuthCookieAgenda
AuthName Agenda
SetHandler perl-script
PerlHandler Apache::AuthCookieAgenda->login
</Location>
Problem was here - AgendaPath variable is set in /agenda.* location
/LOGIN/ script, which set session key cookie header, doesn't see
AgendaPath, therefore Cookie was a
Apache::AuthCookieAgenda_Agenda=login:password
variable path=/agenda was omitted. Explorer 6.0 doesn't set cookie
without path attribute.
I think, it's a good idea to make WhatEverPath required option in
config.
with config
PerlSetVar AgendaPath /agenda
<Location /agenda>
SetHandler perl-script
PerlHandler Apache::Agenda
PerlSetVar AgendaSessionDir /tmp
PerlSetVar AgendaLoginScript /agenda/login/
.....
</Location>
<Location /agendalogin/>
AuthType Apache::AuthCookieAgenda
AuthName Agenda
SetHandler perl-script
PerlHandler Apache::AuthCookieAgenda->login
</Location>
all works fine.
Actually, as my application should be
1. simple maintained,
2. maximum count of users - 100 (employees in small software
development company)
3. simultaneous login - 5-7 maximum
4. team managers work with money (project budjet, employee's payment
per hour and etc)
5. good session solutions require database access while all, what I
want to store in sessions, can get from the same database with no
great effort
I've decided to use simplest authentication module kinda
Apache::DBILogin and if someone need real security - SSL.
Thank you
--------------------------------------------
Sergey Polyakov aka "BeerBong"
Chief of WebZavod http://www.webzavod.ru
Tel. +7 (8462) 43-93-85 | +7 (8462) 43-93-86
mailto:alexei@samara.net
Re: Apache::AuthCookie not set cookie really
Posted by Michael Schout <ms...@gkg.net>.
> <Location /agenda/>
> SetHandler perl-script
> PerlHandler Apache::Agenda
>
> PerlSetVar AgendaPath /agenda
> PerlSetVar AgendaTemplate default.inc
> PerlSetVar AgendaSessionDir /tmp
> PerlSetVar AgendaLoginScript /agenda/login/
Are you sure that last line is correct?
That would send you to /agenda/login when authen_ses_key() fails, but
your config below is for /LOGIN/.
> <Location /LOGIN/>
> AuthType Apache::AuthCookieAgenda
> AuthName Agenda
> SetHandler perl-script
> PerlHandler Apache::AuthCookieAgenda->login
> </Location>
This implies to me that you meant to have:
PerlSetVar AgendaLoginScript /LOGIN/
Is this just a typo?
> I used Apache::Session::Counted, and know that this two modules may
> conflict, but when all Apache::Session::Counted staff is commented
> result is the same...
I dont think they conflict. I've not heard any reports of that anyway.
The cookie names are unique so there should be no problem there.
> I dont know why cookie is not set.
I'd suspect something isnt right with your configuration. Have you
tried turning on "warn me before accepting cookies" on your browser?
Sometimes that helps me verify that the cookies are actually making it
to the browser.
What your trying to do looks to me like exactly the sort of thing
AuthCookie can do. Unless I am misunderstanding your problem I
dont see an AuthCookie limitation here. Please explain in more
detail if I am missing the point and I will see what we can do if
such a limitation does in fact exist :).
Regards,
Michael Schout (Apache::AuthCookie maintainer)
Re: AuthSession Manager [was] Apache::AuthCookie not set cookie really
Posted by Perrin Harkins <pe...@elem.com>.
> Application's main goals
> 1. Simple install.
> I don't want use cron jobs for cleanup - I think, it can be problem
> for some users.
Most of the existing session stuff is written to leave cleanup to you. If
you don't want to use cron jobs, you can do it in a cleanup handler,
possibly exec'ing a separate script to avoid keeping the heavy mod_perl
process around.
> I need to authorize user and don't want to query on every request is
> you admin, which departments you belong to etc..
Unless you're willing to put real information in the cookie (not just an
ID), you have to do some kind of lookup on the server-side for every request
if they need session information. It may not be to a database though. If
you know that each user will stay on a single server, you can use a
disk-based technique like Cache::FileCache or Apache::Session::File.
> Apache::AuthCookie doesn't want to set cookie on redirect (see above).
There's a lot of stuff in the archives about cookies and redirects. Maybe
that will help. You're not the first person to have problems with this.
> I don't think that it is good to use the Oracle database for
> maintaining state or secrets for tickets. It can be slower than query
> indexed table even on every request for password and departments where
> user works.
It's generally fast enough, since it's a single row retrieved by ID. MySQL
is very fast at this kind of thing though.
- Perrin
AuthSession Manager [was] Apache::AuthCookie not set cookie really
Posted by BeerBong <al...@samara.net>.
> Hello all!
>
> Odd thing - all should works fine.
> I use Apache::AuthCookie for my project Agenda.
> I wrote descendant - Apache::AuthCookieAgenda
> ------------------------------------------------
> package Apache::AuthCookieAgenda;
>
> use strict;
> use Apache;
> use Apache::Constants qw(:common);
> use Apache::AuthCookie;
> use Agenda;
>
> use vars qw($VERSION @ISA);
>
> $VERSION = substr(q$Revision: 1.1 $, 10);
> @ISA = qw(Apache::AuthCookie);
>
> sub authen_cred ($$\@) {
> my $self = shift;
> my $r = shift;
> my @creds = @_;
>
> # This would really authenticate the credentials
> # and return the session key.
> # Here I'm just using setting the session
> # key to the credentials and delaying authentication.
> #
> # Similar to HTTP Basic Authentication, only not base 64 encoded
>
> join(":", @creds);
> }
>
> sub authen_ses_key ($$$) {
> my $self = shift;
> my $r = shift;
> my($user, $password) = split(/:/, shift, 2);
>
> my $modeller = Agenda->new();
> $r->warn("Auth - $user - $password");
>
> # Authenticate use here...
> $modeller->authorize($user, $password) eq "OK" ? $user : undef;
>
> }
> ------------------------------------------------
> In conf file
> ------------------------------------------------
> <IfDefine power>
> <Perl>
> use lib qw(/usr/web/inc /usr/web/dev.webzavod.ru/modules);
> use Apache::Agenda;
> use Apache::AuthCookieAgenda;
> </Perl>
> PerlInitHandler Apache::Reload
> PerlSetVar AuthCookieDebug 10
>
> <Location /agenda/>
> SetHandler perl-script
> PerlHandler Apache::Agenda
>
> PerlSetVar AgendaPath /agenda
> PerlSetVar AgendaTemplate default.inc
> PerlSetVar AgendaSessionDir /tmp
> PerlSetVar AgendaLoginScript /agenda/login/
>
> AuthType Apache::AuthCookieAgenda
> AuthName Agenda
> PerlAuthenHandler Apache::AuthCookieAgenda->authenticate
> PerlAuthzHandler Apache::AuthCookieAgenda->authorize
> require valid-user
>
> </Location>
> <Location /LOGIN/>
> AuthType Apache::AuthCookieAgenda
> AuthName Agenda
> SetHandler perl-script
> PerlHandler Apache::AuthCookieAgenda->login
> </Location>
>
> </IfDefine>
> ------------------------------------------------
> when I'm trying to access /agenda/ files I get login page, but after
> submit a form, I return to login page again.
> In logs
> ------------------------------------------------
>
> [Mon Jan 28 12:38:35 2002] [error] credential_0 asdasd
> [Mon Jan 28 12:38:35 2002] [error] credential_1 asdasd
> [Mon Jan 28 12:38:35 2002] [error] ses_key asdasd:asdasd
>
> OUT Headers goes here
>
> $VAR1 = 'Pragma';
> $VAR2 = 'no-cache';
> $VAR3 = 'Cache-control';
> $VAR4 = 'no-cache';
> $VAR5 = 'Location';
> $VAR6 = '/agenda/tasks/';
>
> Error OUT Headers goes here
>
> $VAR1 = 'Set-Cookie';
> $VAR2 = 'Apache::AuthCookieAgenda_Agenda=asdasd:asdasd';
> $VAR3 = 'Pragma';
> $VAR4 = 'no-cache';
>
> Redirecting...
> and next phase
>
> [Mon Jan 28 12:38:35 2002] [error] auth_type
Apache::AuthCookieAgenda
> [Mon Jan 28 12:38:35 2002] [error] auth_name Agenda
> [Mon Jan 28 12:38:35 2002] [error] ses_key_cookie
>
> Cookie field is empty here - I don't know why...
> Cookie is set via error headers, I know that it is correct for
> REDIRECT responses...
> ses_key_cookie is empty, therefore authen_ses_key not even
requested,
> redirecting to login form again.
>
> [Mon Jan 28 12:38:35 2002] [error] uri /agenda/tasks/
> [Mon Jan 28 12:38:35 2002] [error] auth_type
Apache::AuthCookieAgenda
> [Mon Jan 28 12:38:35 2002] [warn] Header Dump:
> GET /agenda/tasks/ HTTP/1.0
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-excel, application/vnd.ms-powerpoint,
> application/ms
> word, */*
> Accept-Encoding: gzip, deflate
> Accept-Language: ru
> Cache-Control: no-cache
> Cookie: SESSION_ID=10000000_56535df97f6ed52c
>
> I used Apache::Session::Counted, and know that this two modules may
> conflict, but when all Apache::Session::Counted staff is commented
> result is the same...
>
> Host: warzavod:81
> Referer: http://warzavod/agenda/tasks/
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> Q312461)
> X-Real-IP: 195.209.67.7
>
> I dont know why cookie is not set.
>
> Is there anywhere comparison table for
> Apache::AuthCookie - Apache::AuthTicket
> and table for
> Apache::Session modules - I use Apache::Session::Counted as the
single
> not-database solution wich I found for maintaining state with
cleanup
> feature. Or is there anywhere cleanup example for Apache::Session -
I
> didn't find... Apache::Session::Lock::File->clean cleans up only
lock
> files...
> Apache::ASP - has a good session state algorithm with cleanup...
Ok.
I readed the previous discuss with
http://marc.theaimsgroup.com/?t=101100645900004&r=1&w=2
And ask the question in more general form.
Our team writing project management open source system Agenda.
There is a couple groupware application written on php, I installed
every of them.
All of them cannot be used for
1. Company with greater than 1 department
2. With one or more managers for each department.
3. Manager can view the load of members of his department
4. Comparison of spent time for task and its real cost
etc etc
Application's main goals
1. Simple install.
I don't want use cron jobs for cleanup - I think, it can be problem
for some users.
2. Separated business and presentative logic.
Application is designed as MVC (modeller-viewer-controller) in
Rational Rose and even skeleton generated via rewritten RosePerl.
(Agenda.pm as modeller, Template::Toolkit as viewer, Apache::Agenda as
controller)
Design is object-oriented.
3. Multilingual
4. Popularization of mod_perl and other brilliance technologies among
Open Source community.
We designed relational base for application
Oracle is a chosen one, because application logic is simpler to
implement with reach SQL and constraints are defined in database
already. I understand that it will be problem for many people -
install a Oracle, but as application is object-oriented and every
table in Oracle has a own object in Agenda controller package - it is
not a problem rewrite methods of objects with extended fuctionality
moved from database to Controller methods for mySQL database.
Users can be simple employees, managers, clients, admins
Employee doesn't see anything, beside assigned to him tasks.
Manager sees and update tasks for his department(s)
client sees tasks of his projects
Admin manages everything.
I need to authorize user and don't want to query on every request is
you admin, which departments you belong to etc..
I need Apache::AuthCookie (Apache::AuthTicket) and Apache::Session
functionality.
Apache::AuthCookie doesn't want to set cookie on redirect (see above).
I have a distributed light proxy Apache and mod_perl installation of
Apache.
I think the best way is to combine tickets (keys) of these modules and
use ticket as key for maintaining state with Apache::Session...
Although... After generating ticket I can use any module to store
session data which implements tied hash.
Good cleanup functionality for Apache::Session can be gained with
database driven version. Apache::AuthTicket also require DBI.
I don't think that it is good to use the Oracle database for
maintaining state or secrets for tickets. It can be slower than query
indexed table even on every request for password and departments where
user works.
MySQL...
We design this application for our company, which has a about 70
employees. I sure, such decision satisfy 98% of target auditorium for
our application.
Is it good to use such distributed solution for 100 clients of
application ?
Is there simpler and grace solution ?
Thank you for any clues
> --------------------------------------------
> Sergey Polyakov aka "BeerBong"
> Chief of WebZavod http://www.webzavod.ru
> Tel. +7 (8462) 43-93-85 | +7 (8462) 43-93-86
> mailto:alexei@samara.net
>
>
>
>
>
>
>