On Oct 20, 2019, at 7:35 PM, Edward J. Sabol <edwardjsa...@gmail.com> wrote: > I've successfully ported Apache2::AuthCookieDBI's group > authorization to work with Apache 2.4.x. It works on my system, and I am > now looking at submitting a pull request on GitHub for this issue.
In case anyone is interested: https://github.com/matisse/Apache-AuthCookieDBI/pull/6 https://github.com/esabol/Apache-AuthCookieDBI/blob/apache-2.4.x-support/lib/Apache2_4/AuthCookieDBI.pm I could still use answers to the following questions: > [...] what's the best way to determine the Apache version in > non-testsuite code? Should I use Apache::Test's have_min_apache_version() > regardless? > > Apache2::AuthCookieDBI stashes the valid/authorized group in > $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') so that higher-level interface > code can reference it. To eliminate multiple database queries for the same > request (at one point, I was seeing 4+ requests per request since the URL > was a directory and Apache was authz'ing the directory and then the > index.html in that directory), I was wondering if checking for the presence > of $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') and using that instead of > querying the database again was secure? It all seems to work in my testing > and it drastically cuts down on repeated database queries, but I'm worried I > might be doing something insecure. Thanks, Ed
