I've written a session library for AxKit.
In part this was because I found both A::X::Session and
A::X::BasicSession hard to either make work or understand, but also
because I wanted a library I could use from both Perl and XSP (the
latter being a thin SimpleTaglib layer thrown round the former).
Anyway, I wondered if other people might find this interesting or
useful.
At present everything lives in the AN:: namespace I use for local
stuff and the installation script is laughably parochial, so some work
will be needed before I could upload it to CPAN. If there's interest
then I'm happy to do that, but if not then I'd rather leave things as
they are.
Rather, I attach a couple of files: the one is a short chunk of
documentation, the other an example XSP page I've been playing with.
So:
1. Is anyone else interested ?
2. If they are what should I call the thing ? A::X::YASession ?
Cheers,
--
M.
NAME
AN::Session - Another session library for AxKit et al.
DESCRIPTION
Another session library for AxKit and friends. Unlike other libraries,
this is not just an XSP affair: rather it is explicitly designed to be
called from both normal Perl and XSP. Having discussed what we do
provide it seems only fair to admit now to a complete lack of
integration with the normal Apache authentication and authorization
framework.
Within AxKit, a plugin will normally be used to initialize a singleton
session object at the start of the handler chain. The session object may
be tied to persistent session data but this is not mandatory. Thus we do
not pollute session ID space without reason. Unsurprisingly the session
object provides methods to create new sessions, delete old ones, and
generally kick them around. Rather than reinvent the wheel,
Apache::Session::Flex provides theses basic session services.
More explicitly, our constructor allows us to specify either a session
ID, or an ID manager object. If an ID is provided at creation (either
explicitly as an ID or implicitly via the manager) and a session with
that ID exists then we attach that session. If the session ID
subsequently changes (either because we disconnect from a session or
because we create a new session) then the ID manager is notified.
For example AN::Session::IDManager::Cookie implements a manager which
stores and saves session IDs in Apache cookies: this makes sessions
persist between separate requests from the user\'s browser. All the
clever stuff cookie handling is done by Apache::Cookie.
At its simplest, the session support we are discussing here is just a
persistent store and accordingly the interface we provide to the session
is the usual get, set, and delete accessor methods.
Inevitably there is a little more complexity: for a start we provide
three system managed attributes: the session ID, the time we created the
session, and the time of last access.
Finally, rudimentary support for authentication is provided: users can
present a username and password which will then be authenticated. It
must be emphasized that this does not connect to Apache\'s own
authentication service. Rather, the module stores the username and
password in the session, and lets the application worry about
authorizing requests. To facilitate this, we simply provide a couple of
system attributes for username and password, and a method to login.
We repeat: this implementation stores the password in plaintext in the
session. This might be a security hole.
Alert readers will spot at least two application specific problems
above: the Session::Flex module needs to be configured, and
authenticating a user is clearly problem dependent. Often then, people
should derive their own class from AN::Session and use that instead.
However, since a particular application might use the same sessions in a
variety of applications: perhaps inside Apache and from the command
line, the ID manager is a wholly separate object.
METHODS
Session Management
In which methods are found to create a new session object and optionally
tie it to an underlying datastore.
new($id_manager, $flex_opts)
Create a new session object. If $id_manager is defined then it must
either be the ID of a session or an object which will yield an ID
when its get_id method is called. If an ID is found, attach those
data to the session object.
More explicitly, if $id_manager is an object then
$id_manager->get_id
is called to get a session ID: the method should return the ID
or undef.
$id_manager->put_id($id)
is called when the ID changes (perhaps to undef).
Conversely, if $id_manager is a simple scalar then it will be taken
as the session ID, and changes to the ID will not trigger any
external event.
$flex_opts is an optional argument which stores simple configuration
data for Apache::Session::Flex. In most cases, users will derive a
class which has its own flex_opts method which makes this redundant.
create
Create a new session in the session datastore (c.f. the new method
above).
destroy
Remove this session from the session datastore.
untie_session
Disconnect the backing datastore from this object. Typically this
will be done by the object\'s destructor. The session remains
unchanged in the datastore but is no longer accessible (without
reconnecting to said store).
is_tied
Return a Boolean telling the caller if there is a backing datastore.
Attributes
In which is found the usual accessor methods for tickling a hash. The
only major restriction is that hash keys beginning with _ are reserved
for system use.
attributes
Return the whole hash.
attribute_list
Return the hash keys.
get_attribute($key)
Generic read accessor.
set_attribute($key, $value)
Generic write accessor.
remove_attribute($key)
Generic deletor.
get_id
Return the ID of the session.
get_creation_time
Return the time (scalar localtime) at which the session was created.
get_last_accessed_time
Return the time (scalar localtime) at which the session was most
recently accessed.
Logging in
In which is found functions to login a user.
login($user, $password)
Login the user or return undef.
is_logged_in
Return a Boolean telling the caller if someone has successfully
logged in.
get_usename
Return the username.
get_password
Return the password.
Session qua base class
In which is found methods which will probably be redefined in derived
classes.
authenticate($user, $password)
Given a user and password, authenticate the former. If it works
return 1 otherwise return undef.
The default implementation always returns 1.
flex_opts
Return the options we use when tieing to the backing store. See
Apache::Session::Flex for more details.
The default implementation passes the $flex_opts argument supplied
to the constructor.
AxKit integration
Plugin
Most of the time it makes sense to create the session object early in
the request: the details of this can then be forgotten.
AN::AxKit::Plugin::Session does precisely this, making a singleton
session object availble at $AN::AxKit::Plugin::Session::s.
XSP
The discussion above relates to perl callable methods which are handy
when writing Perl modules, or <xsp:logic>sessions. However,
AN::AxKit::XSP::Session provides XSP equivalents to all these functions
in the http://adamsnames.tc/session/v1 namespace.
Unsurprisingly the XSP targets the session object created by the plugin
above.
AUTHOR
Dr M J Oldfield, AdamsNames Ltd.
SEE ALSO
AN::Session::IDManager::Cookie, AN::AxKit::Plugin::Session,
AN::AxKit::XSP::Session.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
