Re: [Mason] Problem with consistent cookies

Jim Rey Fri, 26 Jan 2007 09:49:17 -0800

Praveen,

I have several database cleanup scripts running under crontab that get rid
of records with expired timestamps.  I take advantage of MySQL 5's foreign
key constraints to cascade deletes and updates.


By the way, I can't get MySQL 5 Stored Procedures to work from the perl DBI.

Jim

On 26/01/07, Praveen Ray <[EMAIL PROTECTED]> wrote:


great. database backed session is the way to go. I didn't know about
APR::Request::Apache2->handle ($r)->jar
way of reading the cookie. Wonder whats the difference between this and
Apache2::Cookie::Jar ?

Also, looks like you want your cookies to expire after 20 minutes of
inactivity.To be truly paranoid, you probably should add this check to the
SELECT query reading back the session as well.

* - Praveen *

----- Original Message ----
From: Jim Rey <[EMAIL PROTECTED]>
To: Praveen Ray <[EMAIL PROTECTED]>
Cc: mason-users@lists.sourceforge.net
Sent: Friday, January 26, 2007 8:59:59 AM
Subject: Re: [Mason] Problem with consistent cookies

Praveen,

I've sorted it out by commenting out the line specifying the domain in the
cookie.  At the same time, I took the opportunity to rewrite it in a more
logical way.  The whole solution was as below:

Jim

---------------------------------------------------------------------------------------------------------------------------------------------
# In: httpd.conf
# -------------------
# MasonAllowGlobals %MySiteGlobal
# PerlAddVar MasonAllowGlobals $MySiteDbh
# PerlAddVar MasonAllowGlobals $MySiteDiag

# In: perl-HTML-Mason.conf
# --------------------------------------

# PerlOptions +GlobalRequest
# PerlModule Apache2::Request
# PerlSetVar MasonArgsMethod mod_perl
# PerlModule Apache::DBI
# PerlModule Apache2::RequestUtil
# PerlModule Apache2::Cookie
# PerlModule Digest::SHA1
# PerlModule Digest::MD4
# PerlModule Apache2::Connection
# PerlModule Apache2::RequestRec
# PerlModule Apache2::Request
# PerlModule Apache2::Const
# PerlModule APR::Table
# PerlModule APR::Request
# PerlModule APR::Request::Cookie

# In: autohandler
# ----------------------

# ...
my (list of variables used);

$SessionName = 'MySessionPrefix';

# fetch inbound cookie
$MemberId = -1;
$req = APR::Request::Apache2->handle ($r);
$cookie_in = undef;
$jar = $req->jar;
if ($jar) {
    $cookie_in = $jar->get("$SessionName");
    if ($cookie_in) {
        $SessionId = "$cookie_in";
        $sql = 'SELECT MemberId FROM SessionLogin WHERE SessionId = ?';
        $sth = $MySiteDbh->prepare ($sql);
        $sth->execute ($SessionId);
        $ref = $sth->fetchrow_hashref ();
        $sth->finish ();
        if ($ref) {
            $MemberId = $ref->{'MemberId'} if (defined
$ref->{'MemberId'});
            $sql = 'UPDATE `SessionLogin` SET `Refreshed`=NOW() WHERE
`SessionId` = ?';
            $MySiteDbh->do ($sql, undef, $SessionId);
        }
    }
}

# If no cookie, create it.
if ($MemberId == -1) {
    $SessionId = Digest::SHA1::sha1_hex (time, rand, $$);
    $MemberId = 0;
    $sql = 'INSERT IGNORE INTO `SessionLogin` (`SessionId`) VALUES (?)';
    $MySiteDbh->do ($sql, undef, $SessionId);
}

# Save cookie for login/out and basket.
$MySiteGlobal{'SessionId'} = $SessionId;

# generate new cookie
$cookie_out = APR::Request::Cookie->new (
    $req->pool,
    name => "$SessionName",
    value => $SessionId,
    # domain => "mywebsite.dev",            # Commented out the line
causing the problem.
    expires => '+20m'
);
$cookie_out->version(1); # upgrade it to conform with RFC 2109/2965.

# send a response header
bake ($cookie_out, $r);

# ...

sub bake {
    my ($cookie_out, $r) = @_;
    my $val = $cookie_out->as_string();
    $val =~ s/="\/"/=\//;         # firefox hack
    $r->err_headers_out->add ("Set-Cookie", $val);
}
---------------------------------------------------------------------------------------------------------------------------------------------


On 25/01/07, Praveen Ray <[EMAIL PROTECTED]> wrote:
>
> You seem to be making the classic mistake of storing session IDs in a
> global. Globals are
> per process so your app will only work intermittently. Use a database or
> Apache::Session
> which provides many storage backends (again choose a database backend to
> be future safe).
>
> I always use Apache2::Cookie to read/write cookies. Is there an
> advantage of using APR::Request::Apache2->handle ?
>
> Here's something I use:
>
> in PerlAccessHandler:
>
> sub handler {
> my ($class,$ar) = @_;
> my $r          = Apache2::Request->new($ar);
> my $cookie = Apache2::Cookie::Jar->new($r);
> if ($cookie) {
>    my %values      = $cookie->value;
>    my $session_id = $values{session_id};
>    # try reading this session_id from sessions table. If yes, we're good
>    # if not, it's a bad session_id..take 'em to login page?
> } else {
>    # not logged in? go back to login page?
> }
>
> in Mason login handler:
> my $user_name = $r->param('user_name');
> my $pass           = $r->param('password');
> # validate $user_name and $password, if good, generate a session:
> if (_validate($user_name, $pass)) {
>     my $session_id  = Data::GUID->new->as_string;
>     # write this session_id into sessions table  ...
>     # create  a cookie:
>     my $value = [
>              session_id     => $session_id,
>     ];
>     my $cookie = Apache2::Cookie->new(
>                                    $r,
>                                    -name  => 'my-cookie',
>                                    -value  => $value,
>                                    -path   => '/',
>                                    -expires => '+1h',
>     );
>     $cookie->bake($r);
>     # redirect to 'home' page.
> }
> * * It doesn't scramble the cookie but should be easy to add.
>
> ----- Original Message ----
> From: Jim Rey <[EMAIL PROTECTED] >
> To: mason-users@lists.sourceforge.net
> Sent: Thursday, January 25, 2007 9:56:37 AM
> Subject: [Mason] Problem with consistent cookies
>
> I am using Mason 2, Apache 2, mod_perl 2 and I have been banging my head
> against a brick wall trying to get session ids to work.  The code below has
> been working pewrfectly on my development PC, but has suddenly refused to
> work any longer when called remotely.
>
> I use a global variable declared in my httpd.conf (these work perfectly)
>
> MasonAllowGlobals %MyGlobal
> PerlAddVar MasonAllowGlobals $MyDbh
> PerlAddVar MasonAllowGlobals $MyDiag
>
> In perl-HTML-Mason.conf I have the following modules loaded at startup:
>
> PerlOptions +GlobalRequest
> PerlModule Apache2::Request
> PerlSetVar MasonArgsMethod mod_perl
> PerlModule Apache::DBI
> PerlModule Apache2::RequestUtil
> PerlModule Apache2::Cookie
> PerlModule Digest::SHA1
> PerlModule Digest::MD4
> PerlModule Apache2::Connection
> PerlModule Apache2::RequestRec
> PerlModule Apache2::Request
> PerlModule Apache2::Const
> PerlModule APR::Table
> PerlModule APR::Request
> PerlModule APR::Request::Cookie
>
>  In my autohandler I have the following code for cookies/sessions (all
> variables declared using strict):
> # fetch inbound cookie
>
> $req = APR::Request::Apache2->handle ($r);
> $cookie_in = undef;
> $jar = $req->jar;
> if ($jar) {
>     $cookie_in = $jar->get("$SessionName");
>     if ($cookie_in) {
>         $cookie_val = "$cookie_in";
>     }
> }
>
> # If no cookie, create it.
>
> if (not $cookie_in) {
>     $cookie_val = Digest::SHA1::sha1_hex (time, rand, $$);
> }
>
> # Save cookie for login/out and basket.
>
> $MyGlobal{'SessionId'} = $cookie_val;
> $SessionId = $MyGlobal{'SessionId'};
>
> # generate new cookie
>
> $cookie_out = APR::Request::Cookie->new (
>     $req->pool,
>     name => "$SessionName",
>     value => $cookie_val,
>     domain => "metsys2.dev",
>     expires => '+20m'
> );
>
> $cookie_out->version(1); # upgrade it to conform with RFC 2109/2965.
>
> # send a response header
>
> bake ($cookie_out, $r);
>
> -----------------------------------
>
> All I want is to generate reliable session ids.
> Does anyone have any working code that I can use?
>
> Jim Rey
> --
> Jim Rey
> 48 Laburnum Park
> Bradshaw
> Bolton BL2 3BU
> United Kingdom
> Tel: 01204 593 222
> Mob: 07816 751 874
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys - and earn cash
>
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Mason-users mailing list
> Mason-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mason-users
>
>


--
Jim Rey
48 Laburnum Park
Bradshaw
Bolton BL2 3BU
United Kingdom
Tel: 01204 593 222
Mob: 07816 751 874



--
Jim Rey
48 Laburnum Park
Bradshaw
Bolton BL2 3BU
United Kingdom
Tel: 01204 593 222
Mob: 07816 751 874

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users

Re: [Mason] Problem with consistent cookies

Reply via email to