Re: [Mason] Problem with consistent cookies

Fri, 26 Jan 2007 03:07:52 -0800 

Praveen

I have had a go using your code, but for some reason I can't install
Apache2::Cookie::Jar. This is probably the reason I originally used
the APR::Request::Apache2->handle
approach. I'm using Fedora 4 at the moment and I am loath to make radical
changes at the moment since I have written tons code for my website already.
I have been consistently using yum as my updater since it seems to work
better with Fedora 4 than cpan. I avoid using login to my site before moving
to the purchase process because this allows the user to build up a basket
and view a breakdown of the cost before committing himself.  I use the
session id for the basket key with the member id 0 unless logged in.  The
session id is picked up afresh each time the user call autohandler and the
time is extended automatically with a timeout preset to 20 minutes if no
page changes or refreshes take place.  I originally started a year ago using
the book "Embedding Perl in HTML with Mason", but nearly all of the examples
use mod_perl, apache, and  mason at version  1, so it has been quite a
struggle.  Everything is working now apart  from session ids so it is very
frustrating. When I used session ids before it was using Perl CGI or PHP and
it was a doddle.  I cannot believe how difficult this has been using
mod_perl 2.  You used two things in your code  that I don't seem to be able
to get:
  Apache2::Cookie::Jar (won't install)
and
  Data::GUID (I found Data::UUID)

I already store the sessionids in the database, this works, I just need the
mechanism to pick up the cookie.

Jim

On 25/01/07, Praveen Ray <[EMAIL PROTECTED]> wrote:


You seem to be making the classic mistake of storing session IDs in a
global. Globals are
per process so your app will only work intermittently. Use a database or
Apache::Session
which provides many storage backends (again choose a database backend to
be future safe).

I always use Apache2::Cookie to read/write cookies. Is there an advantage
of using APR::Request::Apache2->handle ?

Here's something I use:

in PerlAccessHandler:

sub handler {
my ($class,$ar) = @_;
my $r          = Apache2::Request->new($ar);
my $cookie = Apache2::Cookie::Jar->new($r);
if ($cookie) {
   my %values      = $cookie->value;
   my $session_id = $values{session_id};
   # try reading this session_id from sessions table. If yes, we're good
   # if not, it's a bad session_id..take 'em to login page?
} else {
   # not logged in? go back to login page?
}

in Mason login handler:
my $user_name = $r->param('user_name');
my $pass           = $r->param('password');
# validate $user_name and $password, if good, generate a session:
if (_validate($user_name, $pass)) {
    my $session_id  = Data::GUID->new->as_string;
    # write this session_id into sessions table  ...
    # create  a cookie:
    my $value = [
             session_id     => $session_id,
    ];
    my $cookie = Apache2::Cookie->new(
                                   $r,
                                   -name  => 'my-cookie',
                                   -value  => $value,
                                   -path   => '/',
                                   -expires => '+1h',
    );
    $cookie->bake($r);
    # redirect to 'home' page.
}
* * It doesn't scramble the cookie but should be easy to add.

----- Original Message ----
From: Jim Rey <[EMAIL PROTECTED]>
To: mason-users@lists.sourceforge.net
Sent: Thursday, January 25, 2007 9:56:37 AM
Subject: [Mason] Problem with consistent cookies

I am using Mason 2, Apache 2, mod_perl 2 and I have been banging my head
against a brick wall trying to get session ids to work.  The code below has
been working pewrfectly on my development PC, but has suddenly refused to
work any longer when called remotely.

I use a global variable declared in my httpd.conf (these work perfectly)

MasonAllowGlobals %MyGlobal
PerlAddVar MasonAllowGlobals $MyDbh
PerlAddVar MasonAllowGlobals $MyDiag

In perl-HTML-Mason.conf I have the following modules loaded at startup:

PerlOptions +GlobalRequest
PerlModule Apache2::Request
PerlSetVar MasonArgsMethod mod_perl
PerlModule Apache::DBI
PerlModule Apache2::RequestUtil
PerlModule Apache2::Cookie
PerlModule Digest::SHA1
PerlModule Digest::MD4
PerlModule Apache2::Connection
PerlModule Apache2::RequestRec
PerlModule Apache2::Request
PerlModule Apache2::Const
PerlModule APR::Table
PerlModule APR::Request
PerlModule APR::Request::Cookie

 In my autohandler I have the following code for cookies/sessions (all
variables declared using strict):
# fetch inbound cookie

$req = APR::Request::Apache2->handle ($r);
$cookie_in = undef;
$jar = $req->jar;
if ($jar) {
    $cookie_in = $jar->get("$SessionName");
    if ($cookie_in) {
        $cookie_val = "$cookie_in";
    }
}

# If no cookie, create it.

if (not $cookie_in) {
    $cookie_val = Digest::SHA1::sha1_hex (time, rand, $$);
}

# Save cookie for login/out and basket.

$MyGlobal{'SessionId'} = $cookie_val;
$SessionId = $MyGlobal{'SessionId'};

# generate new cookie

$cookie_out = APR::Request::Cookie->new (
    $req->pool,
    name => "$SessionName",
    value => $cookie_val,
    domain => "metsys2.dev",
    expires => '+20m'
);

$cookie_out->version(1); # upgrade it to conform with RFC 2109/2965.

# send a response header

bake ($cookie_out, $r);

-----------------------------------

All I want is to generate reliable session ids.
Does anyone have any working code that I can use?

Jim Rey
--
Jim Rey
48 Laburnum Park
Bradshaw
Bolton BL2 3BU
United Kingdom
Tel: 01204 593 222
Mob: 07816 751 874
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share
your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users





--
Jim Rey
48 Laburnum Park
Bradshaw
Bolton BL2 3BU
United Kingdom
Tel: 01204 593 222
Mob: 07816 751 874

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Reply via email to