> On Fri, Oct 2, 2009 at 2:16 PM, Nick Kew <n...@apache.org> wrote: >>> i'm using apache 2.2 mpm-worker and have noticed that incoming >>> requests are dispatched to apache processes in a way that makes it >>> hard for me to maintain sessions in my module. i'm using the user >>> field of the request_rec as session key >> >> Huh? The request_rec has the lifetime of a request. Nothing on >> it will preserve a session across requests. > > i agree, but if the application has one session per user and all users > are authenticated, then the user field of the request rec works fine > as session token >
Most session management is implemented in a higher layer (the application such as PHP or Java's Hibernate). It is possible and has been implemented. Under the caveats you later write, using r->user is not fine for a session token. Until the user has authenticated, that data wouldn't be available in the authenticated session. You would have to use cookies as session managers. Apache 2.3 has mod_session. You might want to take a look at the code. If you must reinvent the wheel, it may be simpler to use mod_unique_id. Since mod_unique_id generates a different ID for each request (not across all requests by the same session), you would check to see if the browser cookie is there, and if not, copy it from mod_unique_id for your session key, and send the cookie to the browser. Your session will have been started, and the cookie will be available across all subsequent requests, giving you what you need. Your apache source components used are r->headers_in and r->headers_out . Joe
