Perhaps I should have included the code inline. See Below
Jim Rey
-------------------------------------------------------------------------------------------
# Note that we use the following global variables decalred in httpd.conf:
#
# $MyGlobalHash - holds data values for the current session
# $MyGlobalDbh - is the shared MySQL database handle.
#
# and
#
# $r - provides access to the Apache request object.
my ($sql, $sth, $ref, $req, $cookie_in, $jar, $Conn, $ClientIp);
my ($SessionName, $NewSessionId, $MemberId, $SessNo, $SessionId);
# Fetch Client IP address.
$Conn = $r->connection;
$ClientIp = $Conn->remote_ip();
$MyGlobalHash{'IsLocalIp'} = (($ClientIp =~ /^127\.0\.0\.1$/) or
($ClientIp =~
/^192\.168\.1\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])$/))
? 1 : 0;
$SessionName = $MyGlobalHash{'SessionPrefix'} . Digest::MD4::md4_hex
($ClientIp);
$MyGlobalHash{'SessionName'} = $SessionName;
# Dynamic Session Ids are being used so generate new SessionId each time.
$NewSessionId = Digest::SHA1::sha1_hex (time, rand, $$);
# fetch inbound cookie
$MemberId = -1;
$SessNo = -1;
$req = APR::Request::Apache2->handle ($r);
$cookie_in = undef;
$jar = $req->jar;
if ($jar) {
$cookie_in = $jar->get("$SessionName");
if ($cookie_in) {
$SessionId = "$cookie_in";
$sql = 'SELECT `SessNo`, `MemberId` FROM `SessionLogin` ' .
'WHERE `SessionId` = ? AND `ClientIp` = ?';
$sth = $MyGlobalDbh->prepare ($sql);
$sth->execute ($SessionId, $ClientIp);
$ref = $sth->fetchrow_hashref ();
$sth->finish ();
if ($ref) {
$SessNo = $ref->{'SessNo'} if (defined $ref->{'SessNo'});
$MemberId = $ref->{'MemberId'} if (defined $ref->{'MemberId'});
$sql = 'UPDATE `SessionLogin` SET `SessionId` = ?,
`Refreshed`=NOW() WHERE `SessNo` = ?';
$MyGlobalDbh->do ($sql, undef, $NewSessionId, $SessNo);
}
}
}
$SessionId = $NewSessionId;
# Create new cookie.
if ($MemberId == -1) {
$MemberId = 0;
$sql = 'INSERT IGNORE INTO `SessionLogin` (`SessionId`, `ClientIp`)
VALUES (?,?)';
$MyGlobalDbh->do ($sql, undef, $SessionId, $ClientIp);
# Fetch SessNo for new record.
$sql = 'SELECT `SessNo` FROM `SessionLogin` WHERE `SessionId` = ?';
$sth = $MyGlobalDbh->prepare ($sql);
$sth->execute ($SessionId);
$ref = $sth->fetchrow_hashref ();
$sth->finish ();
if ($ref) {
$SessNo = $ref->{'SessNo'} if (defined $ref->{'SessNo'});
}
}
# Save SessNo for login/out and basket.
$MyGlobalHash{'SessNo'} = $SessNo;
# generate new cookie
$cookie_out = APR::Request::Cookie->new (
$req->pool,
name => "$SessionName",
value => $SessionId,
expires => '+1d'
);
$cookie_out->version(1); # upgrade it to conform with RFC 2109/2965.
# send a response header
bake ($cookie_out, $r);
sub bake {
my ($c, $r) = @_;
my $val = $c->as_string();
$val =~ s/="\/"/=\//; # firefox hack
$r->err_headers_out->add ("Set-Cookie", $val);
}
# ---------------------------------------------------------
# -- MySQL Tables used for Login and Sessions
# ---------------------------------------------------------
# CREATE TABLE IF NOT EXISTS `Member` (
# `MemberId` bigint(6) unsigned NOT NULL auto_increment,
# `Email` varchar(64) NOT NULL default '',
# `Password` tinyblob,
# `FullName` varchar(50) NOT NULL default '',
# `Initials` varchar(5) NOT NULL default '',
# `Addr1` varchar(50) NOT NULL default '',
# `Addr2` varchar(50) NOT NULL default '',
# `TownCity` varchar(25) NOT NULL default '',
# `County` varchar(25) NOT NULL default '',
# `Postcode` varchar(10) NOT NULL default '',
# `Country` varchar(60) NOT NULL default '',
# `Telephone` varchar(15) NOT NULL default '',
# `Mobile` varchar(15) NOT NULL default '',
# `LastLoggedIn` timestamp NOT NULL default CURRENT_TIMESTAMP on
update CURRENT_TIMESTAMP,
# PRIMARY KEY (`MemberId`),
# UNIQUE KEY `Email` (`Email`),
# KEY `FullName` (`FullName`),
# KEY `Postcode` (`Postcode`),
# KEY `LastLoggedIn` (`LastLoggedIn`)
# ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
#
# CREATE TABLE IF NOT EXISTS `SessionLogin` (
# `SessNo` bigint(6) unsigned not null auto_increment,
# `SessionId` varchar(40) NOT NULL default '',
# `ClientIp` varchar(16) NOT NULL default '',
# `MemberId` bigint(6) unsigned NOT NULL default '0',
# `Refreshed` timestamp NOT NULL default CURRENT_TIMESTAMP on update
CURRENT_TIMESTAMP,
# PRIMARY KEY (`SessNo`),
# UNIQUE KEY `SessionId` (`SessionId`),
# KEY `ClientIp` (`ClientIp`),
# KEY `Refreshed` (`Refreshed`)
# ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
# ---------------------------------------------------------
-------------------------------------------------------------------------------------------
On 12/02/07, Jim Rey <[EMAIL PROTECTED]> wrote:
I have written some session handling code, it works ok, but how safe is
it?
It is an extract and the file extension in this context is meaningless.
See file attached.
Jim Rey
--
Jim Rey
48 Laburnum Park
Bradshaw
Bolton BL2 3BU
United Kingdom
Tel: 01204 593 222
Mob: 07816 751 874
--
Jim Rey
48 Laburnum Park
Bradshaw
Bolton BL2 3BU
United Kingdom
Tel: 01204 593 222
Mob: 07816 751 874
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Mason-users mailing list
Mason-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mason-users
