Apache::ASP cookieless sessions question
Hi, Throughout my web pages I provide a link for the user to login, which
goes to a username/password check which then forwards the user back to the
original page where he clicked "login". The login link is implemented with:
a href="/user/login?return_url=%=$Server-URLEncode($ENV{REQUEST_URI})%"
login
/a
And of course /user/login (an ASP script) will eventually
$Response-Redirect() the client to the original URL. The only problem is
that if a client's browser has cookies disabled, the ?session-id=blah
doesn't get encoded into their URL (thanks to SessionQueryParse) when they
first type it the URL. So if they type "www.foo" and click login, it just
takes them back to "www.foo" without preserving the session-id, and it looks
like they haven't logged in at all (and indeed they are running under a
different session-id). If they load "www.foo" and click on a link which I
typed in as "www.foo" they stay in the same session because the link becomes
"www.foo?session=blah". Then logging in works fine.
So, is there a way I can make the Apache::ASP handler (or some other
component of Apache) redirect cookieless clients to scripts whose URIs
contain a session id?
The other related problem is that when a client that allows cookies visits a
page for the first time, all their link URLs have session-ids parsed into
them unnecessarily.
This is the method that I have in mind that I think would resolve these
issues. A hit to a web page with session tracking does this:
Hit to "www.foo/bar". If client delivers session-id cookie, deliver plain
page for cookied clients. If query string contains session-id, deliver a
page with session-ids parsed into links for cookieless clients. If client
delivers no cookie and session-id is not in URL, set cookie and redirect to
self-URL with session-id parsed in.
Even this isn't perfect though, since the URI will sometimes unnecessarily
contain the session-id value for cookied browsers. This will still
contaminate the return_url for my login procedure, but at least the link and
image URLs from the first page won't be uglified.
The perfect solution would be to redirect the client to the self-URL without
the session-id in their query string when *both* a cookie is sent and a
session-id is in the query string. Combined with the method above, this
would result in a cookied browser doing:
1. user types "www.foo", server receives no cookie
2. server sends cookie and forwards to "www.foo?session-id=blah"
3. server receives cookie and forwards to "www.foo"
4. server delivers plain "www.foo"
And a cookieless browser:
1. user types "www.foo", server receives no cookie
2. server sends cookie and forwards to "www.foo?session-id=blah"
3. server receives no cookie and delivers request for "www.foo" with
session-ids parsed into all links
Basically, the stable cases (sending cookies OR sending ids in query-string)
are fine, it's just the cases of neither or both being sent that need to be
fixed.
So... can I make these sorts of things happen? Should I care? Is there a
way I can find out whether the user's browser is cookied for session-id from
within the ASP script?
Thanks,
shimon.
p.s. Apache::ASP is great! I love it! What a timesaver and so easy to work
with!
I got it to work: apache fails to work with mod_perl
Hey just so you know, I got it to work, but I made some changes, that is switched Redhat 7.0 to Redhat6.2 apache3.12 to 3.14 mod_perl-1.24 to 1.24_01 the problem was probably in Redhat7.0, but don't quote me on this because I changed all 3 variables (RH, apache and mod_perl) but it works now Dennis I'm having a problem making apache work with mod_perl. Short problem description is: when I compile apache by itself, it = works, but when I compile mod_perl (which builds apache also) it doesn't work = and gives me an error that's on = http://www.apache.org/docs/misc/FAQ-D.html#nfslocking=20 When I am trying to fix the error as it says on the page, apache is = still behaving the same way, that is -- not working and giving me the = same error. I am using RedHat Linux 7.0
Re: Apache::ASP cookieless sessions question
Shimon Rura wrote:
Hi, Throughout my web pages I provide a link for the user to login, which
goes to a username/password check which then forwards the user back to the
original page where he clicked "login". The login link is implemented with:
a href="/user/login?return_url=%=$Server-URLEncode($ENV{REQUEST_URI})%"
login
/a
And of course /user/login (an ASP script) will eventually
$Response-Redirect() the client to the original URL. The only problem is
that if a client's browser has cookies disabled, the ?session-id=blah
doesn't get encoded into their URL (thanks to SessionQueryParse) when they
first type it the URL. So if they type "www.foo" and click login, it just
takes them back to "www.foo" without preserving the session-id, and it looks
like they haven't logged in at all (and indeed they are running under a
different session-id). If they load "www.foo" and click on a link which I
typed in as "www.foo" they stay in the same session because the link becomes
"www.foo?session=blah". Then logging in works fine.
SessionQueryParse runtime session-id insertion into query strings
to handle cookieless clients should cover $Response-Redirect() URLs
too. The problem is that you are redirecting to an absolute URL,
where the matching algorithm normally covers only links relative
to the current server. The solution is to configure SessionQueryParseMatch
with a regexp that matches URLs that you also want session-ids inserted
into, so you can handle what the user typed in.
The other related problem is that when a client that allows cookies visits a
page for the first time, all their link URLs have session-ids parsed into
them unnecessarily.
There is an optimization that if the client presents any cookies at
all, then the session-ids won't be inserted into URLs. So in
Script_OnStart, you can check for a permanent cookie, and if the client
doesn't have it, then set one. Then all subsequent visits, the client will
not have session-id's parsed in. Also, you can provide a "cookie shield"
for your site, by marking a value in $Session, like $Session-{CookiesOn} = 1
and if set do nothing, otherwise, set, and redirect to current URL; with
SessionQueryParse enabled, this should be simple logic, as they will
always have a session-id on the next request, and that value will be marked.
This is the method that I have in mind that I think would resolve these
issues. A hit to a web page with session tracking does this:
Hit to "www.foo/bar". If client delivers session-id cookie, deliver plain
page for cookied clients. If query string contains session-id, deliver a
page with session-ids parsed into links for cookieless clients. If client
delivers no cookie and session-id is not in URL, set cookie and redirect to
self-URL with session-id parsed in.
I think it is better to do these things per site, as redirects
do not cover form based scenarios, as form POST input will be lost,
so its not a truly generic solution. It may be that a site running
SessionQueryParse will want to handle form requests on the first
incoming request, I think the better hack is setting the permanent
cookie.
The perfect solution would be to redirect the client to the self-URL without
the session-id in their query string when *both* a cookie is sent and a
session-id is in the query string. Combined with the method above, this
would result in a cookied browser doing:
1. user types "www.foo", server receives no cookie
2. server sends cookie and forwards to "www.foo?session-id=blah"
3. server receives cookie and forwards to "www.foo"
4. server delivers plain "www.foo"
That's a lot of requests to serve up a first page to a site.
Average content web sites have something like 2-3 page requests
per user, and we are creating 3 request just for the first hit,
doubling the number of requests necessary to handle the user.
I think the logic here is simple if you want to implement it,
but I worry about it being a generic solution.
# assumes SessionQueryParse enabled
sub Script_OnStart {
# use permanent cookie for a hint, if available
unless(%{$Request-{Cookies}} || $Session-{CookiesOn}) {
$Session-{CookiesOn} = 1;
$Response-{Cookies}{Perm} = { Value = 1, Expires = 86400 * 365 };
$Response-Redirect(
$Server-URL(
File::Basename::basename($0),
$Request-{QueryString)
)
);
}
}
If SessionQueryParse weren't enabled, then for a cookieless
client, this solution would loop infinitely, and there needs
to be other logic enabled to make this happen.
So... can I make these sorts of things happen? Should I care? Is there a
way I can find out whether the user's browser is cookied for session-id from
within the ASP script?
I think the SessionQueryParseMatch will be key for you, as well
as the permanent cookie trick.
p.s. Apache::ASP is great! I love it! What a timesaver and so easy to
Re: ModPerl job in Manhattan, NY
Ruben I. Safir 1600 East 17th Street Brooklyn, NY 11230 1-718-382-5752 [EMAIL PROTECTED] Skills UNIX, Apache Web Server administration, Networking Administration, C programming, Perl and Perl DBI, SQL, UNIX Script Language, HTML. Introduction to Java and C++. Operating Systems Unix, Linux, BSDI, DOS, Windows, NT Related Skills PageMaker, PhotoShop, GIF Animation, POV Raytracing Art Skills, hardware troubleshooting, PC Installation, Scanning Apache Administration, IP Setup. Experience Feb 2000 Sapphire Software of Brooklyn - Installed Slashdot Clone for Client and set up basic IP networking. March 1999 - Present The New School - Teach Perl and Web Technologies in the continueing education program May 1998 - Present New York University - Manager of Intranet and Software Development and Project Manager. Wrote numerous database driven Web programs using DBI, ModPerl and Perl. Installed and imported the clinical database to Oracle On Red Hat Linux. Ported an Intranet Site from a Windows95 environment to Unix, fixing links using SED and Perl. Ported a DOS medical database from a flat binary Database to MYSQL RDMS using Perl. As the old database is still being used live, the port has to be repeated on a daily basis. Fixed large amounts of bad data. Combined it's 5 directories of data because it originally had a maximum of 32,000 patients. All five database binaries had to be combined into one MYSQL Database. Designed the new schema and built a front end for the over 3,000,000 transactions using CGI techniques , modperl, embperl, javascript and Perl. Installed Apache on Linux while building modules and perl extensions. Instructed co-workers in the basics of Unix administration, while creating a secure web server. Automated the data import to be pooled daily using CRON over IPX from production servers. Dec 1994 - Present Jewish Billboard and Brooklyn on Line - Web Site Administrator and Page Creator. Performed webpage creation skills including CGI writing in C and Perl. Currently developing a Shopping Cart with client side administration, and accounting tools. Extensive use of Perl and MYSQL on a BSDI OS. (http://www.wynn.com/jewish and http://www.brooklynonline) . July 1997 - December 1997 Maramont Corporation: Establish an Intranet with the Apache Webserver Supported about 25 machines on an intranet with Windows Clients and a UNIX Server. Designed and replaced various windows based document management programs which were constraining the corporations ability for web based technology. Wrote several Perl CGI's to parse our production label database into CGI - Netscape output. This eased label design. It permitted the use of Pagemaker to work with the specialized Zebra Bar-code printers over the UNIX print server. Worked with Fox Pro 2.6a and a Database product called TRO to support and helped develop a Purchasing database on Windows 3.11 and Novel. Installed and supported all cooperate software, Photo Shop, Pagemaker, Scanning techniques, Word, Lotus, ect. June 1995 - June 1997 Medical Arts - Part-time Pharmacist Sept 1995 - Feb 1996 Graduate Student Professor at LIU College of Pharmacy in compounding labs. Sept 1984 - 1996 Karson Pharmacy - Full and Part-time Pharmacist. 1981 - 1987 US ARMY - Honorable discharge Education: Sept - Jan 1998 NYU: C++ and Unix Programing April - Oct 1996 Cope Institute: Programming course in UNIX Programming, Shell Scripting, SQL, embedded SQL in C and Oracle. Sep 1995 - Feb 1996 LIU: Fellowship and Ph.D. candidate for Pharmaceutics. Jan 1983 - Sept 1988 LIU Brooklyn Campus: Graduate of Pharmacy Interests and Hobbies Birds and Parrots, Art History, Local History, Jazz, NYC, Writing, Teaching Perl and HTML
Re: apache fails to work with mod_perl .. (old PerlRequire conf/startup.pl + more info)
I have found that I can now build an apache_1.3.14 binary with mod_perl-1.24 . I had to rebuild the perl5.6.0 binary with config_args: config_args='-des -Doptimize=-02 -march=i386 mcpu=686 -Dcc=gcc -Dcccdlflags=-fPIC -Darchname=i386-linux -Dd_dosuid -Dd_semctl_semun -Di_db -di_ndbm -Di_gdbm -Di_shadow -Uuselargefiles' These arguments are how the binary shipped with RedHat7 was configured. Does anyone see something here I should worry about? Also, make test is failing about 3/4 of the tests. But at least it is running. -- Danny Aldham Providing Certified Internetworking Solutions to Business www.postino.com E-Mail, Web Servers, Web Databases, SQL PHP Perl
Re: Problem with Apache::DBI
Hi Ken, There is neither any error message generated in the error_log neither on linux prompt. Thanks for writing, Pritesh. On Friday, October 13, 2000 at 01:30:50 AM, Ken Williams wrote: [EMAIL PROTECTED] (Pritesh Thakor) wrote: I installed Apache::DBI-0.87 on Apache 1.3.9, Perl 5.00503, mod_perl 1.2.1 running on RedHat Linux 6.1 and I am trying to connect to MySQL 3.22.32. After making necessary changes in httpd.conf i.e. PerlModule Apache::DBI and giving the command /etc/rc.d/init.d/httpd restart generates the message Shutting donw http: [FAILED] Starting http: [ OK ] Now when I request a page from the browser, a window populates displaying a message "Connection refused. The server may not be accepting connections." I also tried connecting to MySQL in startup file, but it is not working. If there is anything more to be done or I am doing something wrong, please let me know. Any errors in the log? ------ Ken Williams Last Bastion of Euclidity [EMAIL PROTECTED]The Math Forum pritesht e-mail: [EMAIL PROTECTED] Feed Your Greed !!! Get your 10MB Free space only at http://www.forindia.com NOW!
