Re: Session state without cookies
On Thu, 28 Oct 1999, Trei Brundrett wrote: I'm reworking an existing web store CGI script to better handle shopping carts. I'm going to use Apache::Session to manage these shopper sessions. The store is a mixture of static HTML and CGI generated pages and I want to maintain the session across the entire site. The only issue I've encountered is the distinct possibility of users without cookies. I've searched the list archive for solutions to this problem, but came up with no definitive answer. The Apache::Session documentation states that this issue is left up to the developer. Are there any existing modules which puts the session id on the query string across both static and dynamic pages and gives you easy access to that value so you can utilize it in a CGI? If there isn't an existing module - does anyone have anything in development? CGI::Cookie Apache::Cookie thanks, Trei Brundrett - [EMAIL PROTECTED] http://www.mediatruck.com Mediatruck, Inc. - ___ Stas Bekman mailto:[EMAIL PROTECTED]www.singlesheaven.com/stas Perl,CGI,Apache,Linux,Web,Java,PC at www.singlesheaven.com/stas/TULARC www.apache.org www.perl.com == www.modperl.com || perl.apache.org single o- + single o-+ = singlesheavenhttp://www.singlesheaven.com
Re: Session state without cookies
On Sat, 30 Oct 1999, Stas Bekman wrote: On Thu, 28 Oct 1999, Trei Brundrett wrote: The only issue I've encountered is the distinct possibility of users without cookies. I've searched the list archive for solutions to this problem, but came up with no definitive answer. The Apache::Session documentation states that this issue is left up to the developer. Are there any existing modules which puts the session id on the query string across both static and dynamic pages and gives you easy access to that value so you can utilize it in a CGI? If there isn't an existing module - does anyone have anything in development? CGI::Cookie Apache::Cookie I appreciate your suggestions. I may be missing something in the documentation for these modules, but they seem to rely on cookies. I need to maintain session state WITHOUT cookies. As I said before this would be easy if I only needed the user's session id when they were in the CGI application, but I need to maintain that state when they visit static HTML and then come back. It seems like an Apache module would be up for this task. thanks, Trei Brundrett
Re: Session state without cookies
"Trei" == Trei B [EMAIL PROTECTED] writes: Trei I appreciate your suggestions. I may be missing something in the Trei documentation for these modules, but they seem to rely on cookies. I need Trei to maintain session state WITHOUT cookies. As I said before this would be Trei easy if I only needed the user's session id when they were in the CGI Trei application, but I need to maintain that state when they visit static HTML Trei and then come back. It seems like an Apache module would be up for this Trei task. You have three main choices for maintaining a "session": 1) cookies 2) mangled URLs 3) hidden fields in forms If "static HTML" can't do #2 or #3, you are stuck with #1. No amount of module help can work. :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: Embperl - where are the cookies ? Success....
Hi Everybody -
Finally got it working, and I wanted to sum up what I did so if somebody
else runs into this, it'll be waiting for 'em in the archives.
In the startup.pl, here's what I got:
BEGIN{
$ENV{EMBPERL_SESSION_CLASSES} = "DBIStore SysVSemaphoreLocker";
$ENV{EMBPERL_SESSION_ARGS}= "DataSource=dbi:mysql:gpp8p_casenet
UserName=gpp
8p Password=x";
}
use Apache::Session::Embperl;
use HTML::Embperl;
$Apache::Session::SysVSemaphoreLocker::nsems = 16;
(note - I'm running Solaris so I gotta have the nsems argument)
The table:
mysql describe sessions;
+---+-+--+-+-+---+
| Field | Type| Null | Key | Default | Extra |
+---+-+--+-+-+---+
| id| varchar(16) | | PRI | | |
| expires | int(11) | YES | | NULL| |
| length| int(11) | YES | | NULL| |
| a_session | text| YES | | NULL| |
+---+-+--+-+-+---+
The test script:
html
h1Test of session features/h1hr
[+ if($udat{counter} == 0){$udat{counter} = 1} +]
The page is requested [+ $udat{counter}++ +] occasions
since [+ $udat{date} ||= localtime +]
br
cookies: [+ $ENV{HTTP_COOKIE} +]
/html
I think that covers it. Thanks for your help.
- George
George,
This problem was mentioned in a previous post because it is wrong in the
documentation (it may be fixed now).
The setting of $ENV{EMBPERL...} variables in this case need to be inside
a BEGIN block at the start of the script. This is because the value of
these variables are used to setup session tracking right when the
HTML::Embperl module is used (and this happens before your EMBPERL
environment variables are being set).
So put a BEGIN {} around them and you should be ready to roll.
Incidentally if you are using starting and stopping apache by hand you
will see a message from Embperl when session tracking has been enabled.
If you do not see the message don't waste your time looking at your test
page.
Another thing, the reason things update randomly is because each apache
child is keeping a copy of what you put in $udat. Since it is a special
Embperl variable it will hold it's value and not be cleaned up at the
end of page execution like other variables are each time you reload you
get a different child with a different incrementing number.
-- Owen
"George P. Pipkin" wrote:
Hi Everybody -
I have been playing around with Embperl. I have a little script that
resembles the counter test mentioned in the docs, and it appears to
run. Problem is, no cookies get set. And the value of the counter is
erratic. One browser will appear to pick up the count from another.
Then it will jump back. Here is the script:
html
h1Test of session features/h1hr
[+ if($udat{counter} == 0){$udat{counter} = 1} +]
The page is requested [+ $udat{counter}++ +] occasions
since [+ $udat{date} ||= localtime +]
br
cookies: [+ $ENV{HTTP_COOKIE} +]
/html
~
Incidently, $ENV{HTTP_COOKIE} never shows any value at all. I have the
session mechanics hooked up to a mysql database. Here's the setup stuff
in startup.pl:
$ENV{EMBPERL_SESSION_CLASSES} = "DBIStore SysVSemaphoreLocker";
$ENV{EMBPERL_SESSION_ARGS}= "DataSource=dbi:mysql:gpp8p_casenet
UserName=gpp
8p Password=xxx";
use Apache::Session;
use HTML::Embperl;
And BTW, I did set up the two tables in that database
Any ideas
- George Pipkin
--
***
George P. Pipkin h - (804)-245-9916
1001 Emmet St. w - (804)-924-1329
Carruthers Hall fax -
(804)-982-2777
Charlottesville, Va. 22903
http://jm.acs.virginia.edu/~gpp8p/
***
***
George Pipkin
Advanced Technology Group
University of Virginia
(804)-924-1329
***
Re: DigExt in user-agent hammering my site
"Jay" == Jay J [EMAIL PROTECTED] writes:
Jay I just tried it using IE5 for NT4 ..
Jay What you're seeing is when someone has used "Make available
Jay offline" followed by:
Jay "If this favorite links to other pages, would you like to make
Jay those pages available offline too? [y/n] ... Download pages [x]
Jay links deep from this page"
Jay The useragent is this: Mozilla/4.0 (compatible; MSIE 5.0; Windows
Jay NT; DigExt)
Jay And proceeds to crawl the site with 0-wait time between requests
Jay I haven't inspected the client-header to see if there might be
Jay something to indicate it's in "crawl" mode .. I think it's
Jay doubtful there is. So.
Nope, I could find nothing to distinguish "evil spider" mode from
normal browsing mode, other than the rapidity of the download
requests.
So, I wrote my own throttling routines, unsatisfied with the others
that I found...
package Stonehenge::Throttle;
use strict;
## usage: PerlAccessHandler Stonehenge::Throttle;
my $HISTORYDIR = "/home/merlyn/lib/Apache/Throttle";
my $WINDOW = 90;# seconds of interest
my $SLOWBYTES = $WINDOW * 2000; # bytes before we sleep
my $SLEEP = 1; # sleep time
my $DECLINEBYTES = $WINDOW * 3000; # bytes before we 408 error
use vars qw($VERSION);
$VERSION = (qw$Revision: 1.4 $ )[-1];
use Apache::Constants qw(OK DECLINED);
use Apache::File;
use Apache::Log;
use Stonehenge::Reload;
sub handler {
goto handler if Stonehenge::Reload-reload_me;
my $r = shift;
return DECLINED unless $r-is_initial_req;
my $log = $r-server-log;
my $host = $r-get_remote_host;
return DECLINED if $host =~ /\.(holdit|stonehenge)\.com$/;
my $historyfile = "$HISTORYDIR/$host"; # closure var
$r-register_cleanup
(sub {
my $fh = Apache::File-new;
open $fh, "$historyfile" or return DECLINED;
my $time = time;
my $bytes = $r-bytes_sent;
syswrite $fh, pack "LL", $time, $bytes;
close $fh;
return OK;
});
{
my $startwindow = time - $WINDOW;
my $totalbytes = 0;
my $fh = Apache::File-new;
open $fh, $historyfile or return DECLINED;
while ((read $fh, my $buf, 8) 0) {
my ($time, $bytes) = unpack "LL", $buf;
next if $time $startwindow;
$totalbytes += $bytes;
}
if ($totalbytes $DECLINEBYTES) {
$log-notice("$host got $totalbytes in $WINDOW secs, sending 503");
$r-header_out("Retry-After", $WINDOW);
return 503; # Service Unavailable
} elsif ($totalbytes $SLOWBYTES) {
$log-notice("$host got $totalbytes in $WINDOW secs, sleeping for $SLEEP");
sleep $SLEEP;
return DECLINED;
} else {
## $log-notice("$host got $totalbytes in $WINDOW secs"); # DEBUG
return DECLINED;
}
}
return DECLINED;
}
1;
This has to be aided by a cron script run every 20 minutes or so
that looks like this:
#!/usr/bin/perl -w
use strict;
# $Id: throttle-cleaner,v 1.1 1999/10/28 19:44:09 merlyn Exp $
my $DIR = "/home/merlyn/lib/Apache/Throttle";
my $SECS = 360; # more than Stonehenge::Throttle $WINDOW
chdir $DIR or die "Cannot chdir $DIR: $!";
opendir DOT, "." or die "Cannot opendir .: $!";
my $when = time - $SECS;
while (my $name = readdir DOT) {
next unless -f $name;
next if (stat($name))[8] $when;
## warn "unlinking $name\n";
unlink $name;
}
So now I have a bytes-served-in-window throttler on my website that
prevents anyone from sucking down more than 3k/sec sustained over 90
seconds from any specific IP.
It triggered five times overnight. But my ISP neighbors are now
happy.
I should clean up Stonehenge::Throttle and submit it. Notice, no file
locking! That was an interesting fallout of the design.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
[EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: preload scripts at startup?
Hi, How are you doing recently? I think I found a bug in Embperl.pm about file upload. When I used HTML input type=file name=... tag to upload a file, Embperl crashed with error message like this: "Cannot modify read-only value ... in Embperl.pm line 774.", IF the uploaded filename starts with non-alpha character, eg. "1.gif" or "789.jpg". But it works ok if the filename looks like an variable identifier, eg. "abc.gif" or "xyz.jpg". So I guess Emperl.pm did not "expect" the filename to start with a digit, did it? Another problem: I define a perl module, util.pm, with several utility functions therein, eg, get_tree_depth(). If I use the module and reference get_tree_depth in one Embperl script, then SOMETIMES ON ANOTHER SCRIPT Embperl will complain "undefined subroutine xx::get_tree_depth::_N (something like that, I forgot)". The only asured way to work around this is to use util::get_tree_depth() in both scripts. But it should not be like this, isn't it? By the way, which of static or dynamic linked Apache server boosts better performance with Embperl? My Emperl.pm version is: 1.2b9. Thanks. Huang-Ming Pan Gerald Richter ¼g¹D¡G But a lot of that memory is shared between the childs, so it may be not so uneconomicaly as it looks for the first view... As I know, the lot of memory is not truely shared but 'duplicated' in childs' process memory. This is because UNIX only share 'code' segments, not 'data' segments, between processes. Is current Perl interpreted code stored in 'code' segements? I don't think so. What i meant is to store Embperl-translated script stuff, not Perl-interpreted code, in files. Unix also shares the data segements after a fork, until something is written to them. Storing the precompiled perl code in files, isn't possible by perl itself. It may work with the perl compiler (B:: package), but the compiler is still experimental and it would be a lot of work to get it together with Embperl. GErald --- Gerald Richter ecos electronic communication services gmbh Internet - Infodatenbanken - Apache - Perl - mod_perl - Embperl E-Mail: [EMAIL PROTECTED] Tel:+49-6133/925151 WWW:http://www.ecos.de Fax:+49-6133/925152 ---
Re: Session state with/without cookies
This is not a simple answer, but here is my take: This is only My Opinion. Rule #1: Design your 'working part' of the app to minimize the dependence on stored session. This means to place common actions in the URL. Some people would say that's messy, but I disagree. This is because you can 'Walk in' to any part of the app in ANY stage of the game. Here is an example, the following views are all based on one record, Question #14 in a survey. Here is a complete view of all of the hierarchy: http://www.datafree.com/demo/dc?s=156-157p=3m=ndb=surveyd=fk=3a=er Now I want to isolate that question with it's answers http://www.datafree.com/demo/dc?s=156-157-158p=3m=ndb=surveyd=fk=197sn=156-157-158a=er Now, just view the question itself: http://www.datafree.com/demo/dc?s=156-157-158p=3m=ddb=surveyd=fk=197sn=156-157-158a=cr Add a new record? http://www.datafree.com/demo/dc?s=156-157-158p=3m=ddb=surveyd=fsn=156-157-158a=cr Split the screen: http://www.datafree.com/demo/dc?s=156-157-158p=3m=ddb=surveyd=fk=197a=ersw=on In all of these examples, you are 'Walking In'. The system assigns you as a guest. As soon as you continue you will notice a UID (u=) being assigned. What happens if you blow it away? Nothing. Now if you have a 'shopping cart' type of app, you will need to track session, because you don't want to be passing every product and other info the User has ordered. I would not store all that crap in cookies either, but one certainly could. So you assign each User a session ID. So now, You want to track a session, You need a unique identifier for each session, Solution: You must somehow pass a session identifier UID Popular choices: 1) Part of the URL ie "sessionid=12234" Drawbacks: A) Could be hijacked if someone guesses what it is Like this: http://www.datafree.com/demo/dc?s=156-157-158u=202118935938223051p=3m=ndb=surveyd=fk=204a=er Notice that if you continue with the app, you have hijacked that UID. This is allowed becuse the session is unsecure. B) Session is lost when the User leaves the site, unless they hit the back button. 2) Stored in the users browser as a cookie You can automatically restore the users last session (most people want this) and anything else about them you want to retain. You only need to send the UID once, and the user will hand it back every time. 3) (my choice) Combine the two. If the settings permit guest access, the system instantly adapts and handles the User. But to update, you must create and account and login. When you log in, I toss a cookie. If that cookie ain't there bub, you ain't continuing on (except as a guest). Once logged in, if you disable cookies I will detect it and switch you back to a guest. Finally, a combination of URL UID and cookie UID is the only way (I know of) to allow multiple secure sessions for a single user. A use for this is for developers to develop online web applications, pause and switch to an End User view to test, and quickly switch back. In each case, my system remembers your exact session (last URL, personal settings for that user) and instantly throws you back where you were. Here is a rough flowchart of the process, a bit out of date: http://www.datacrawler.com/images/main_user_mode.gif You have three main choices for maintaining a "session": 1) cookies 2) mangled URLs 3) hidden fields in forms If "static HTML" can't do #2 or #3, you are stuck with #1. I don't understand these answers. What is a mangled URL? I don't understand the conclusion about static HTML.
Re: LOcking help reqd
There is a section on problems with file locking in perlfaq5.pod. You can read this section of the fine manual that comes with Perl by running 'perldoc perlfaq5'. To see how to commit and rollback, run 'perldoc DBI' and read the fine manual. -- Mac :}) ** I may forward private database questions to the DBI mail lists. ** - Original Message - From: gangadharan narayan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: 29 October, 1999 13:55 Subject: LOcking help reqd From: "gangadharan narayan" [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: More on web application performance with DBI Date: Fri, 29 Oct 1999 16:21:56 EDT I have a perl script which connects to the oracle database. I want to know if i can lock the script. i.e even if there are many requests to the server for the same script there will be no concurrency update problems. Also how i implement commit rollbacks in a script.
Re: How to know PID of DB backend ?
Oleg Bartunov [EMAIL PROTECTED] writes: Using ApacheDBI I keep persistent connections between httpd and db. Now I want to know PIDs of httpd children and database backend. For the httpd it's trivial but I don't know where to get PID of db backend. Regards, Oleg That would be entirely dependent on your database, not all databases even start subprocesses. What database are you using? -- greg
