Joshua;
> I would not necessarily use $Session for this however, but create
> an alias to these vars like:
>
> use vars qw($Env);
> sub Script_OnStart {
> $Env = $Request->ServerVariables;
> }Actually, I do want these data to persist between requests. My goal is to retain the REMOTE_GROUPS variable set by AuthDBI and use it by unprotected pages to provide different views, depending on the REMOTE_GROUPS permissions. > Let me know if you continue to think there is a real bug here > and we'll get to the bottom of it. Actually, I do think that there is a bug. However, it is NOT with Apache nor Apache::ASP. After several tests, my session On_Start event, and session variables all appear to work properly across sessions. The problem only appears AFTER I perform an authentication and authorization using Apache::DBI. After I authenticate, the REMOTE_GROUPS and REMOTE_USER (but NOT the REMOTE_GROUP) are ALWAYS set to the last user's information, regardless of the session. That is, even after closing the browser and opening the browser again, the last REMOTE_GROUPS and REMOTE_USERS (or REDIRECT_REMOTE_GROUPS) variables are set to the last values. This is a naughty security hole. In order to make AuthDBI work on Win32, I had to remove all references to the IPC::SysV calls. Attached is my modified AuthDBI.pm. I believe that problem lies with the caching logic within AuthDBI, but I haven't tracked it down yet. I believe that the cache is disabled in the attached code. JL
AuthDBI.pm
Description: Binary data
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
