Peter,
> 2) that depends. First, for some reasons, Internet is designed without
> "Logout". Many seldom logout from those services such as Yahoo mail, and me
> too. For the specific question you posted (one login only for an account),
> while it can be in principle designed and implemented, in
ay be
much faster than to call SessionDBI)
Peter
- Original Message -
From: "Fran Fabrizio" <[EMAIL PROTECTED]>
To: "Peter Bi" <[EMAIL PROTECTED]>
Cc: "Jeff" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, April 16, 2002
Peter Bi wrote:
> If you touch SessionDBI for every request, why don't go directly to the
> Basic Authentication ?
1. You can't use a custom log in page
2. You can't log out unless you close your browser
3. It's for use by our employees only. They are told to enable cookies. =)
-Fran
If you touch SessionDBI for every request, why don't go directly to the
Basic Authentication ? Using AuthCookie would 1) slow down the
authentication process (because an extra MD5 hash calculation) and 2) drop
off 10% of users who have disabled the cookie.
One of the nice features in the AuthCook
Jeff wrote:
> Forgive a mod_perl newbie for non mod_perl thinking, but this
> is (a simplified overview) of how I would approach this:
>
> request for any protected page
> - if no existing session data [so not authenticated]
> create new session
> remember target page in session
>
ust my 2 newbie pennies...
Regards
Jeff
-Original Message-
From: Perrin Harkins [mailto:[EMAIL PROTECTED]]
Sent: 15 April 2002 16:02
To: Fran Fabrizio
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Enforcing user logged in from only 1 browser?
Fran Fabrizio wrote:
> Unfortuna
> You would have to do the auth part yourself, as well as the actual
> cookie handling, or else hack AuthCookie to cooperate with Apache::Session.
This is exactly what I've done. I've modified AuthCookieDBI to create
an Apache::Session session as soon as it knows it has a valid user.
Then if
Fran Fabrizio wrote:
> Unfortunately, there's some terminology muddling...AuthCookie calls it a
> session when it establishes that a user is a valid user and sets a
> cookie on their browser. Apache::Session considers a session a series
> of page hits from the same user. It assumes you've alr
> I'm not sure I follow your session id problem. When I check a session, I ask
> the client for it's ID, then look the session up by ID. To 'expire' the
> session, I simply delete it from the session store (File or Postgres).
The confusion is you aren't using sessions in the authentication s
> It's #5 that's troublesome. I wasn't sure how I could expire the older
> session (since the session key that matters is sitting client side). I
> guess I could keep a table of invalidated session keys, and check
> against that every time in along with all the other checks going on in
> aut
[EMAIL PROTECTED] wrote:
> How are you handling your sessions? I use Apache::Session::Postgres.
I'm using AuthCookie. A customization of AuthCookieDBI to be specific.
However, I also use Apache::Session. Basically, I authenticate
with AuthCookie, then I pass the authenticated username o
To make a perfect system like this probably needs users to sign-off
faithfully by every session.
Peter Bi
- Original Message -
From: "Fran Fabrizio" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, April 12, 2002 1:22 PM
Subject: Enforcing user logged in from only 1 browser?
How are you handling your sessions? I use Apache::Session::Postgres.
In my scenario, if I needed to do this, I would check the list of valid
sessions I have for one that exists for the user. ie, if 'gphat' tries to
login, I check to see if any of the sessions the db are for user gphat. If so
perhaps you can generate a new session id for each page displayed.
for example a user logs in. he gets $sess_id1. automatically the session id
gets changed to $sess_id2 and all the links from that page contain the
second one.
so if he clicks somewhere on the page he will go on to a page with the n
14 matches
Mail list logo
