On Mon, 5 Mar 2001, Daryl Campbell wrote:
> Cees suggestion seems to unlock part of the browser behaviour puzzle
> that we are trying to solve to meet the following requirements for a
> PerlAuthenHandler:
>
> *URL based session handling if cookies not enabled,
> *LDAP authentication,
> *Force reauthentication if given inactivity period passed,
> *Maintain state information in main memory, no DBI store required.
>
> So now our session state information is "Time_last_accessed and Next_realm",
> or generate the realm based on current time if inactivity period lapsed.
> Assuming that we are sending an AUTH_REQUIRED when inactivity period is
> lapsed.
Forget about Realms and AUTH_REQUIRED headers if you want to do the
above. You can use Apache::AuthCookieURL to handle passing session IDs to
and from the browser (Requirement #1). You will have to override 2
functions (writing them should be very straight forward):
authen_cred() which will verify the credentials passed from the login form
(using LDAP in your case, Requirement #2) and create a new session for
them. And authen_ses_key() which will verify that the users sessionID is
still valid, or if it needs to be expired (Requirement #3, if you return
nothing from this function, Apache::AuthCookieURL will redirect the user
to the login page automatically).
Now you should have a mechanism that handles your session keys for you,
but you still need to store the session data somewhere. I have used
Apache::Session with good success, but there are others available as well.
I would be careful about storing session info in memory (Requirement #4).
If your server gets hit hard, you could very quickly run out of memory.
You would have to put some memory limits im place, and that means saving
inactive sessions to disk. It really depends on your setup, and how many
concurrent users you are planning to have.
1. If you aren't going to have many users, your machine won't be that
busy, so you might as well save to a database.
2. If you are going to be very busy, you will probably have too many
sessions active to be able to store them in main memory.
3. If you are really busy, but you don't have much to store in the
session, you might as well encrypt the data and send the info in the
cookie/URL instead of passing the sessionkey.
But if you still want to do it, you could use IPC::Shareable (an old
version of Apache::Session supported this module, but it has been
removed since). There is also IPC::Cache and probably others as well.
> Go easy on me, it's my first mod_perl posting but have been chewing on
> the mod_perl guide, eagle book, and the mailing list archives.
Well, this is only my third message to the list ;)
--
Cees Hek
SiteSuite Corporation
[EMAIL PROTECTED]
