Re: Apache::Session permissions problem

[Perrin Harkins]

Eric,

Sorry if I came off overly critical.  Many people have had problems 
trying to use Mason with Apache::Session because of that article.  This 
is why on the Mason website the link to that article describes it as 
outdated and steers people to newer documentation.  (It probably should 
also steer them to the new handler...)

Eric Schwartz wrote:
Beggars can't be choosers, and all that, but would you mind telling me 
what handler you're talking about?  I looked around for session handling 
and Mason, and that article was the best one I found in terms of 
explaining how it worked and how to use it.
Did you look on the Mason site, http://masonhq.com/?  That's the best 
place to find information on Mason.  A search for "session" on that site 
includes a reference to MasonX::Request::WithApacheSession, available 
from CPAN.  This is mentioned in the administrator's manual that comes 
with Mason.  It's possible that you have an old version of Mason that 
predates this.

Apache::Session::DBI (which is what the article refers to) is ancient and
should not be used.
How can I know this?  The documentation for Apache::Session::DBIStore 
(which A::S::DBI refers to) doesn't say anything about being obsolete or 
deprecated.  Is there an archive of received wisdom somewhere I should 
be checking to validate articles like the one I found?
The latest Apache::Session on CPAN is version 1.54, released in October 
2001.  The last release that included a module called 
Apache::Session::DBI was version 1.03, released two years earlier.  I'm 
not certain what CPAN.pm would do if you told it to install 
Apache::Session::DBI.  It might install the old one, which would be very 
unfortunate.  Is that how you installed it?

You shouldn't use the IPC locking in Apache::Session.  You didn't mention
which database you're using, but most of them have alternative ways of
doing locking.  In my opinion, the locking approach taken in
Apache::Session is not a good one for the average web site and you should
simply turn it off by using the NullLocker.


How?
By using Apache::Session::Flex.  The configuration for 
MasonX::Request::WithApacheSession also lets you do this.

It's not 
particularly obvious from the documentation I can find that it's going 
to be used, or how to select alternative methods.
Look at the source and you'll see it.  It's all much clearer in the more 
recent release though.

I installed 
Apache::Session from CPAN, and the docs refer to PosixFileLocker 
SysVSemaphoreLocker and NullLocker, but no perldocs for those modules 
are on my system.
The Apache::Session::PosixFileLocker and 
Apache::Session::SysVSemaphoreLocker modules are included with 
Apache::Session (although both are obsolete and only part of the old 
version that you installed).  They have no documentation, so perldoc 
will not find them.  The later equivalents (Apache::Session::Lock::File) 
do have docs.

'perldoc Apache::Session::DBI' says it uses A::S::PosixFileLocker, not 
A::S::SysVSemaphoreLocker.  Are the docs wrong, or the code?
The docs are wrong.  You can see it refers to the semaphore locker if 
you look at the source.

Basically, you stumbled across an old article that referred to an 
obsolete version of Apache::Session, and all of your problems stem from 
that.  If you get a later version and check out the Mason handler and 
the newer documentation on masonhq.com, I think it will all start to 
make sense to you.

- Perrin