You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by BeerBong <al...@samara.net> on 2002/01/28 13:33:21 UTC

AuthSession Manager [was] Apache::AuthCookie not set cookie really

> Hello all!
>
> Odd thing - all should works fine.
> I use Apache::AuthCookie for my project Agenda.
> I wrote descendant - Apache::AuthCookieAgenda
> ------------------------------------------------
> package Apache::AuthCookieAgenda;
>
> use strict;
> use Apache;
> use Apache::Constants qw(:common);
> use Apache::AuthCookie;
> use Agenda;
>
> use vars qw($VERSION @ISA);
>
> $VERSION = substr(q$Revision: 1.1 $, 10);
> @ISA = qw(Apache::AuthCookie);
>
> sub authen_cred ($$\@) {
>     my $self = shift;
>     my $r = shift;
>     my @creds = @_;
>
>     # This would really authenticate the credentials
>     # and return the session key.
>     # Here I'm just using setting the session
>     # key to the credentials and delaying authentication.
>     #
>     # Similar to HTTP Basic Authentication, only not base 64 encoded
>
>     join(":", @creds);
> }
>
> sub authen_ses_key ($$$) {
>     my $self = shift;
>     my $r = shift;
>     my($user, $password) = split(/:/, shift, 2);
>
>     my $modeller = Agenda->new();
>     $r->warn("Auth - $user - $password");
>
>     # Authenticate use here...
>     $modeller->authorize($user, $password) eq "OK" ? $user : undef;
>
> }
> ------------------------------------------------
> In conf file
> ------------------------------------------------
>    <IfDefine power>
>     <Perl>
>      use lib qw(/usr/web/inc /usr/web/dev.webzavod.ru/modules);
>      use Apache::Agenda;
>      use Apache::AuthCookieAgenda;
>     </Perl>
>     PerlInitHandler Apache::Reload
>     PerlSetVar AuthCookieDebug 10
>
>     <Location  /agenda/>
>       SetHandler perl-script
>       PerlHandler Apache::Agenda
>
>       PerlSetVar AgendaPath /agenda
>       PerlSetVar AgendaTemplate default.inc
>       PerlSetVar AgendaSessionDir /tmp
>       PerlSetVar AgendaLoginScript /agenda/login/
>
>       AuthType Apache::AuthCookieAgenda
>       AuthName Agenda
>       PerlAuthenHandler Apache::AuthCookieAgenda->authenticate
>       PerlAuthzHandler Apache::AuthCookieAgenda->authorize
>       require valid-user
>
>     </Location>
>     <Location /LOGIN/>
>       AuthType Apache::AuthCookieAgenda
>       AuthName Agenda
>       SetHandler perl-script
>       PerlHandler Apache::AuthCookieAgenda->login
>     </Location>
>
>    </IfDefine>
> ------------------------------------------------
> when I'm trying to access /agenda/ files I get login page, but after
> submit a form, I return to login page again.
> In logs
> ------------------------------------------------
>
> [Mon Jan 28 12:38:35 2002] [error] credential_0 asdasd
> [Mon Jan 28 12:38:35 2002] [error] credential_1 asdasd
> [Mon Jan 28 12:38:35 2002] [error] ses_key asdasd:asdasd
>
> OUT Headers goes here
>
> $VAR1 = 'Pragma';
> $VAR2 = 'no-cache';
> $VAR3 = 'Cache-control';
> $VAR4 = 'no-cache';
> $VAR5 = 'Location';
> $VAR6 = '/agenda/tasks/';
>
> Error OUT Headers goes here
>
> $VAR1 = 'Set-Cookie';
> $VAR2 = 'Apache::AuthCookieAgenda_Agenda=asdasd:asdasd';
> $VAR3 = 'Pragma';
> $VAR4 = 'no-cache';
>
> Redirecting...
> and next phase
>
> [Mon Jan 28 12:38:35 2002] [error] auth_type
Apache::AuthCookieAgenda
> [Mon Jan 28 12:38:35 2002] [error] auth_name Agenda
> [Mon Jan 28 12:38:35 2002] [error] ses_key_cookie
>
> Cookie field is empty here - I don't know why...
> Cookie is set via error headers, I know that it is correct for
> REDIRECT responses...
> ses_key_cookie is empty, therefore authen_ses_key not even
requested,
> redirecting to login form again.
>
> [Mon Jan 28 12:38:35 2002] [error] uri /agenda/tasks/
> [Mon Jan 28 12:38:35 2002] [error] auth_type
Apache::AuthCookieAgenda
> [Mon Jan 28 12:38:35 2002] [warn] Header Dump:
> GET /agenda/tasks/ HTTP/1.0
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-excel, application/vnd.ms-powerpoint,
> application/ms
> word, */*
> Accept-Encoding: gzip, deflate
> Accept-Language: ru
> Cache-Control: no-cache
> Cookie: SESSION_ID=10000000_56535df97f6ed52c
>
> I used Apache::Session::Counted, and know that this two modules may
> conflict, but when all Apache::Session::Counted staff is commented
> result is the same...
>
> Host: warzavod:81
> Referer: http://warzavod/agenda/tasks/
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> Q312461)
> X-Real-IP: 195.209.67.7
>
> I dont know why cookie is not set.
>
> Is there anywhere comparison table for
> Apache::AuthCookie - Apache::AuthTicket
> and table for
> Apache::Session modules - I use Apache::Session::Counted as the
single
> not-database solution wich I found for maintaining state with
cleanup
> feature. Or is there anywhere cleanup example for Apache::Session -
I
> didn't find... Apache::Session::Lock::File->clean cleans up only
lock
> files...
> Apache::ASP - has a good session state algorithm with cleanup...

Ok.
I readed the previous discuss with
http://marc.theaimsgroup.com/?t=101100645900004&r=1&w=2
And ask the question in more general form.

Our team writing project management open source system Agenda.
There is a couple groupware application written on php, I installed
every of them.
All of them cannot be used for
1. Company with greater than 1 department
2. With one or more managers for each department.
3. Manager can view the load of members of his department
4. Comparison of spent time for task and its real cost
etc etc

Application's main goals
1. Simple install.
I don't want use cron jobs for cleanup - I think, it can be problem
for some users.
2. Separated business and presentative logic.
Application is designed as MVC (modeller-viewer-controller) in
Rational Rose and even skeleton generated via rewritten RosePerl.
(Agenda.pm as modeller, Template::Toolkit as viewer, Apache::Agenda as
controller)
Design is object-oriented.
3. Multilingual
4. Popularization of mod_perl and other brilliance technologies among
Open Source community.

We designed relational base for application
Oracle is a chosen one, because application logic is simpler to
implement with reach SQL and constraints are defined in database
already. I understand that it will be problem for many people -
install a Oracle, but as application is object-oriented and every
table in Oracle has a own object in Agenda controller package - it is
not a problem rewrite methods of objects with extended fuctionality
moved from database to Controller methods for mySQL database.

Users can be simple employees, managers, clients, admins
Employee doesn't see anything, beside assigned to him tasks.
Manager sees and update tasks for his department(s)
client sees tasks of his projects
Admin manages everything.

I need to authorize user and don't want to query on every request is
you admin, which departments you belong to etc..
I need Apache::AuthCookie (Apache::AuthTicket) and Apache::Session
functionality.
Apache::AuthCookie doesn't want to set cookie on redirect (see above).
I have a distributed light proxy Apache and mod_perl installation of
Apache.
I think the best way is to combine tickets (keys) of these modules and
use ticket as key for maintaining state with Apache::Session...
Although... After generating ticket I can use any module to store
session data which implements tied hash.
Good cleanup functionality for Apache::Session can be gained with
database driven version. Apache::AuthTicket also require DBI.
I don't think that it is good to use the Oracle database for
maintaining state or secrets for tickets. It can be slower than query
indexed table even on every request for password and departments where
user works.
MySQL...
We design this application for our company, which has a about 70
employees. I sure, such decision satisfy 98% of target auditorium for
our application.
Is it good to use such distributed solution for 100 clients of
application ?
Is there simpler and grace solution ?

Thank you for any clues
> --------------------------------------------
> Sergey Polyakov               aka "BeerBong"
> Chief of WebZavod     http://www.webzavod.ru
> Tel. +7 (8462) 43-93-85 | +7 (8462) 43-93-86
> mailto:alexei@samara.net
>
>
>
>
>
>
>

Re: AuthSession Manager [was] Apache::AuthCookie not set cookie really

Posted by Perrin Harkins <pe...@elem.com>.

> Application's main goals
> 1. Simple install.
> I don't want use cron jobs for cleanup - I think, it can be problem
> for some users.

Most of the existing session stuff is written to leave cleanup to you.  If
you don't want to use cron jobs, you can do it in a cleanup handler,
possibly exec'ing a separate script to avoid keeping the heavy mod_perl
process around.

> I need to authorize user and don't want to query on every request is
> you admin, which departments you belong to etc..

Unless you're willing to put real information in the cookie (not just an
ID), you have to do some kind of lookup on the server-side for every request
if they need session information.  It may not be to a database though.  If
you know that each user will stay on a single server, you can use a
disk-based technique like Cache::FileCache or Apache::Session::File.

> Apache::AuthCookie doesn't want to set cookie on redirect (see above).

There's a lot of stuff in the archives about cookies and redirects.  Maybe
that will help.  You're not the first person to have problems with this.

> I don't think that it is good to use the Oracle database for
> maintaining state or secrets for tickets. It can be slower than query
> indexed table even on every request for password and departments where
> user works.

It's generally fast enough, since it's a single row retrieved by ID.  MySQL
is very fast at this kind of thing though.

- Perrin