Re: AuthSession Manager [was] Apache::AuthCookie not set cookie really

[Perrin Harkins]

> Application's main goals
> 1. Simple install.
> I don't want use cron jobs for cleanup - I think, it can be problem
> for some users.

Most of the existing session stuff is written to leave cleanup to you.  If
you don't want to use cron jobs, you can do it in a cleanup handler,
possibly exec'ing a separate script to avoid keeping the heavy mod_perl
process around.

> I need to authorize user and don't want to query on every request is
> you admin, which departments you belong to etc..

Unless you're willing to put real information in the cookie (not just an
ID), you have to do some kind of lookup on the server-side for every request
if they need session information.  It may not be to a database though.  If
you know that each user will stay on a single server, you can use a
disk-based technique like Cache::FileCache or Apache::Session::File.

> Apache::AuthCookie doesn't want to set cookie on redirect (see above).

There's a lot of stuff in the archives about cookies and redirects.  Maybe
that will help.  You're not the first person to have problems with this.

> I don't think that it is good to use the Oracle database for
> maintaining state or secrets for tickets. It can be slower than query
> indexed table even on every request for password and departments where
> user works.

It's generally fast enough, since it's a single row retrieved by ID.  MySQL
is very fast at this kind of thing though.

- Perrin

AuthSession Manager [was] Apache::AuthCookie not set cookie really

[BeerBong]

> Hello all!
>
> Odd thing - all should works fine.
> I use Apache::AuthCookie for my project Agenda.
> I wrote descendant - Apache::AuthCookieAgenda
> 
> package Apache::AuthCookieAgenda;
>
> use strict;
> use Apache;
> use Apache::Constants qw(:common);
> use Apache::AuthCookie;
> use Agenda;
>
> use vars qw($VERSION @ISA);
>
> $VERSION = substr(q$Revision: 1.1 $, 10);
> @ISA = qw(Apache::AuthCookie);
>
> sub authen_cred ($$\@) {
> my $self = shift;
> my $r = shift;
> my @creds = @_;
>
> # This would really authenticate the credentials
> # and return the session key.
> # Here I'm just using setting the session
> # key to the credentials and delaying authentication.
> #
> # Similar to HTTP Basic Authentication, only not base 64 encoded
>
> join(":", @creds);
> }
>
> sub authen_ses_key ($$$) {
> my $self = shift;
> my $r = shift;
> my($user, $password) = split(/:/, shift, 2);
>
> my $modeller = Agenda->new();
> $r->warn("Auth - $user - $password");
>
> # Authenticate use here...
> $modeller->authorize($user, $password) eq "OK" ? $user : undef;
>
> }
> 
> In conf file
> 
>
> 
>  use lib qw(/usr/web/inc /usr/web/dev.webzavod.ru/modules);
>  use Apache::Agenda;
>  use Apache::AuthCookieAgenda;
> 
> PerlInitHandler Apache::Reload
> PerlSetVar AuthCookieDebug 10
>
> 
>   SetHandler perl-script
>   PerlHandler Apache::Agenda
>
>   PerlSetVar AgendaPath /agenda
>   PerlSetVar AgendaTemplate default.inc
>   PerlSetVar AgendaSessionDir /tmp
>   PerlSetVar AgendaLoginScript /agenda/login/
>
>   AuthType Apache::AuthCookieAgenda
>   AuthName Agenda
>   PerlAuthenHandler Apache::AuthCookieAgenda->authenticate
>   PerlAuthzHandler Apache::AuthCookieAgenda->authorize
>   require valid-user
>
> 
> 
>   AuthType Apache::AuthCookieAgenda
>   AuthName Agenda
>   SetHandler perl-script
>   PerlHandler Apache::AuthCookieAgenda->login
> 
>
>
> 
> when I'm trying to access /agenda/ files I get login page, but after
> submit a form, I return to login page again.
> In logs
> 
>
> [Mon Jan 28 12:38:35 2002] [error] credential_0 asdasd
> [Mon Jan 28 12:38:35 2002] [error] credential_1 asdasd
> [Mon Jan 28 12:38:35 2002] [error] ses_key asdasd:asdasd
>
> OUT Headers goes here
>
> $VAR1 = 'Pragma';
> $VAR2 = 'no-cache';
> $VAR3 = 'Cache-control';
> $VAR4 = 'no-cache';
> $VAR5 = 'Location';
> $VAR6 = '/agenda/tasks/';
>
> Error OUT Headers goes here
>
> $VAR1 = 'Set-Cookie';
> $VAR2 = 'Apache::AuthCookieAgenda_Agenda=asdasd:asdasd';
> $VAR3 = 'Pragma';
> $VAR4 = 'no-cache';
>
> Redirecting...
> and next phase
>
> [Mon Jan 28 12:38:35 2002] [error] auth_type
Apache::AuthCookieAgenda
> [Mon Jan 28 12:38:35 2002] [error] auth_name Agenda
> [Mon Jan 28 12:38:35 2002] [error] ses_key_cookie
>
> Cookie field is empty here - I don't know why...
> Cookie is set via error headers, I know that it is correct for
> REDIRECT responses...
> ses_key_cookie is empty, therefore authen_ses_key not even
requested,
> redirecting to login form again.
>
> [Mon Jan 28 12:38:35 2002] [error] uri /agenda/tasks/
> [Mon Jan 28 12:38:35 2002] [error] auth_type
Apache::AuthCookieAgenda
> [Mon Jan 28 12:38:35 2002] [warn] Header Dump:
> GET /agenda/tasks/ HTTP/1.0
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-excel, application/vnd.ms-powerpoint,
> application/ms
> word, */*
> Accept-Encoding: gzip, deflate
> Accept-Language: ru
> Cache-Control: no-cache
> Cookie: SESSION_ID=1000_56535df97f6ed52c
>
> I used Apache::Session::Counted, and know that this two modules may
> conflict, but when all Apache::Session::Counted staff is commented
> result is the same...
>
> Host: warzavod:81
> Referer: http://warzavod/agenda/tasks/
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
> Q312461)
> X-Real-IP: 195.209.67.7
>
> I dont know why cookie is not set.
>
> Is there anywhere comparison table for
> Apache::AuthCookie - Apache::AuthTicket
> and table for
> Apache::Session modules - I use Apache::Session::Counted as the
single
> not-database solution wich I found for maintaining state with
cleanup
> feature. Or is there anywhere cleanup example for Apache::Session -
I
> didn't find... Apache::Session::Lock::File->clean cleans up only
lock
> files...
> Apache::ASP - has a good session state algorithm with cleanup...

Ok.
I readed the previous discuss with
http://marc.theaimsgroup.com/?t=10110064594&r=1&w=2
And ask the question in more general form.

Our team writing project management open source system Agenda.
There is a couple groupware application written on php, I installed
every of them.
All of them