You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by John ORourke <jo...@o-rourke.org> on 2005/08/23 17:56:03 UTC
MP2 easy cookie interface available
Hi folks,
I found the available cookie methods a bit tricky to use (I think the
blessed scalars or overloading were confusing me!), so I wrote a simple
cookie interface to use in place of Apache2::Cookie. Most of the code
is copied from that.
I haven't got time to CPAN-ify it at the mo, but there is some POD at
the bottom and there are no licence conditions attached - I guess it
should inherit the Apache2::Cookie license?
Its main feature is automatic use of MD5 hashes to protect the cookie
from being modified by the user, so you can store things in it safely.
Grab it here:
http://www.versatilia.com/downloads/Validated.pm
and install it as Apache2/Cookie/Validated.pm somewhere in @INC.
cheers
John
Re: MP2 easy cookie interface available
Posted by John ORourke <jo...@o-rourke.org>.
Sounds great, it'd be a nice addition to Apache2::Cookie. Getting the
secret through to freeze and thaw is the tricky bit - I guess it could
just be supplied to fetch() and new().
There are a couple of extras that I'm adding:
- a delete method which deletes the cookie by name (ie. you don't have
to create an object)
- an expiry time validator - if you absolutely need cookies to expire on
time, store the expiry time in the validated cookie and check it,
instead of relying on the user to expire it.
> I really wanted a module called Cookie::Factory though.. the pod could
> be so amazingly funny.
>
Hehe! Perl is punny sometimes... the other day I wrote "sub merge {"...
...back to the code for me, I've started using Set-Cookie2 and firefox
is ignoring them :(
John
Re: MP2 easy cookie interface available
Posted by Jonathan Vanasco <jv...@mastersofbranding.com>.
Having it validate the cookie based on a hash on data+ server secret is
a great addition.
I've been doing that already on a custom abstraction class for
Apache::Cookie as well -- i needed to build something that would switch
the cookie baking code to either use headers_out or bake on the fly, to
get around a since fixed bug.
Anyways, since i know many people who have subclassed or manipulated
cookies to act like that, Maybe instead of your module being cpanned as
a standalone, it could be incorporated into the main Apache2::Cookie ?
ie: patch Apache2::Cookie to add a 'validation_require' flag, a
'validation_serversecret' string for hashing/matching, and have fetch
return an error if validation is required but the hash doesn't match.
I guess i should talk about that on the libapreq list though - there
might be large opposition to it there and any patching i do will be
hours of wasted time.
For the past few months, I've been thinking about making a
CookieFactory module that is kind of like the BBC's anytemplate -- just
a simple abstraction class with simple configuration that can get/send
via Apache::Cookie ( or another backend like cgi) , include the
server-secret hack, but let it be a little easier for configuration
(ie, i hate putting stuff in httpd.conf - i like to consolidate as much
of my configuration in startup.pl or in the main handler.) if the
main apache::cookie handled this, then i could just forget about my
stupid idea and never think of it again.
I really wanted a module called Cookie::Factory though.. the pod could
be so amazingly funny.
Re: MP2 easy cookie interface available
Posted by John ORourke <jo...@o-rourke.org>.
Thanks for the feedback Philip.
I believe it does subclass APR::Request::Cookie but I just left in all
the 'use' statements from Apache2::Cookie. I figured the APR::
namespace would be the wrong place for it too.
It need to override so many methods because they need to get the
RequestRec object so the get_secret method can read the secret from
dir_config - I couldn't think of an easier way but it does seem a bit much.
cheers
John
Philip M. Gollucci wrote:
> Fowarding to apreq-dev (at) apache.org
>
> Did you really need to override all those methods? Granted I haven't
> looked at it that closely.
>
> The bigest thing I would say is you should subclass perhaps
> APR::Request::Cookie instead as
> that is the API we recommend these days.
>
>
> John ORourke wrote:
>
>> http://www.versatilia.com/downloads/Validated.pm
>
Re: MP2 easy cookie interface available
Posted by John ORourke <jo...@o-rourke.org>.
Thanks for the feedback Philip.
I believe it does subclass APR::Request::Cookie but I just left in all
the 'use' statements from Apache2::Cookie. I figured the APR::
namespace would be the wrong place for it too.
It need to override so many methods because they need to get the
RequestRec object so the get_secret method can read the secret from
dir_config - I couldn't think of an easier way but it does seem a bit much.
cheers
John
Philip M. Gollucci wrote:
> Fowarding to apreq-dev (at) apache.org
>
> Did you really need to override all those methods? Granted I haven't
> looked at it that closely.
>
> The bigest thing I would say is you should subclass perhaps
> APR::Request::Cookie instead as
> that is the API we recommend these days.
>
>
> John ORourke wrote:
>
>> http://www.versatilia.com/downloads/Validated.pm
>
Re: MP2 easy cookie interface available
Posted by "Philip M. Gollucci" <pg...@p6m7g8.com>.
Fowarding to apreq-dev (at) apache.org
Did you really need to override all those methods? Granted I haven't looked at it that closely.
The bigest thing I would say is you should subclass perhaps APR::Request::Cookie instead as
that is the API we recommend these days.
John ORourke wrote:
> Hi folks,
>
> I found the available cookie methods a bit tricky to use (I think the
> blessed scalars or overloading were confusing me!), so I wrote a simple
> cookie interface to use in place of Apache2::Cookie. Most of the code
> is copied from that.
>
> I haven't got time to CPAN-ify it at the mo, but there is some POD at
> the bottom and there are no licence conditions attached - I guess it
> should inherit the Apache2::Cookie license?
>
> Its main feature is automatic use of MD5 hashes to protect the cookie
> from being modified by the user, so you can store things in it safely.
>
> Grab it here:
> http://www.versatilia.com/downloads/Validated.pm
>
> and install it as Apache2/Cookie/Validated.pm somewhere in @INC.
>
> cheers
> John
>
--
END
------------------------------------------------------------
What doesn't kill us can only make us stronger.
Nothing is impossible.
Philip M. Gollucci (pgollucci@p6m7g8.com) 301.254.5198
Consultant / http://p6m7g8.net/Resume/
Senior Developer / Liquidity Services, Inc.
http://www.liquidityservicesinc.com
http://www.liquidation.com
http://www.uksurplus.com
http://www.govliquidation.com
http://www.gowholesale.com
Re: MP2 easy cookie interface available
Posted by "Philip M. Gollucci" <pg...@p6m7g8.com>.
Fowarding to apreq-dev (at) apache.org
Did you really need to override all those methods? Granted I haven't looked at it that closely.
The bigest thing I would say is you should subclass perhaps APR::Request::Cookie instead as
that is the API we recommend these days.
John ORourke wrote:
> Hi folks,
>
> I found the available cookie methods a bit tricky to use (I think the
> blessed scalars or overloading were confusing me!), so I wrote a simple
> cookie interface to use in place of Apache2::Cookie. Most of the code
> is copied from that.
>
> I haven't got time to CPAN-ify it at the mo, but there is some POD at
> the bottom and there are no licence conditions attached - I guess it
> should inherit the Apache2::Cookie license?
>
> Its main feature is automatic use of MD5 hashes to protect the cookie
> from being modified by the user, so you can store things in it safely.
>
> Grab it here:
> http://www.versatilia.com/downloads/Validated.pm
>
> and install it as Apache2/Cookie/Validated.pm somewhere in @INC.
>
> cheers
> John
>
--
END
------------------------------------------------------------
What doesn't kill us can only make us stronger.
Nothing is impossible.
Philip M. Gollucci (pgollucci@p6m7g8.com) 301.254.5198
Consultant / http://p6m7g8.net/Resume/
Senior Developer / Liquidity Services, Inc.
http://www.liquidityservicesinc.com
http://www.liquidation.com
http://www.uksurplus.com
http://www.govliquidation.com
http://www.gowholesale.com