Subclassed Apache::Request Objects and their creation/destruction
All,I'm looking for some help with understanding how the Apache::Request objectsare created and destroyed.I have the following params set in my httpd.confKeepAlive OffPerlChildInitHandler Bficient::Apache::DBloadWhich as I understand it should mean that an apache::Request object iscreated for each request, and is destroyed at the end of a request.So if I add 'CREATION and DESTROY' warnings to my Apache::Request code tolog when a request is being created and destroyed I should see the objectsbeing created and destroyed as they are used.This would lead me to believe that when I stop apache, the only DESTROYmessages I should see are those belonging to the childInitHandler, e.g. Ishould see my database handles being destroyed.I'm just trying to get an understanding of what 'should' happen, so that Ican work out If I have a problem with my code.I have subclassed Apache::Request and I'm seeing my subclassedApache::Request objects being'DESTROYED' under an apache stop. AS WELL as after the Request completes,e.g.after the request completes I see this:-$VAR1 = bless( { 'r' = bless( do{\(my $o = 145326836)}, 'Apache::Request' ) }, 'Bficient::Apache::Request' );DESTROYING Bficient::Apache::RequestBut when I stop apache I see this:-$VAR1 = bless( { 'r' = undef }, 'Bficient::Apache::Request' );DESTROYING Bficient::Apache::RequestThis doesn't look 'right', but I'm not sure.Attached is my Bficient::Apache::Request object, If that helps.Any help, or pointers would be greatly appreciated,kind regardsMarty # #Module to sublass Apache to provide Custom Authorisation mechanisms #Using the Apache::Session objects for each user. # package Bficient::Apache::Request; use Bficient::Conf; use lib qw(Bficient::Conf::PERL_LIB_DIR); use Apache::Constants qw(OK REDIRECT SERVER_ERROR DECLINED FORBIDDEN); use Apache::Cookie; use Carp; use Apache::Reload; use Apache::Request; use Bficient::Maketext; use Data::Dumper; use base 'Exporter'; use Bficient::DBI; use Bficient::Apache::DBload qw($bdbh); use MIME::Base64 qw(encode_base64 decode_base64); use strict; @Bficient::Apache::Request::ISA = qw(Apache::Request); my $lh; sub new { my ($class, $r) = @_; #unless ($r) #{ #print STDERR making a new Request object\n; #$r = Apache::Request-new; #} my $self = bless {r = Apache::Request-new($r)}, $class; my @params=$self-param(); print STDERR Here's the Parameters for $class\n; print STDERR Dumper(@params); my $lang_id=$self-param('lang_id'); if ($lang_id) { #print STDERR Using language_id of $lang_id\n; $lh=Bficient::Maketext-get_handle($class,$lang_id); } else { #print STDERR Using Default language_id of Bficient::Conf::DEFAULT_LANGUAGE_ID\nXX\n; $lh=Bficient::Maketext-get_handle($class,Bficient::Conf::DEFAULT_LANGUAGE_ID); } #print STDERR Creating .ref($self).\n; #$self-interpret_uri; return $self; } sub DESTROY { my $self=shift; print STDERR Dumper($self); print STDERR DESTROYING .ref($self).\n; #$self-SUPER-DESTROY(); } sub current_db_id { my $self=shift; my $db_id; if($self-param('db_id')) { $db_id=$self-param('db_id'); die $self-lh-maketext(Empty database ID string Used in Parameters\n) unless $db_id; } else { my $current_plugin=$self-current_plugin; #print STDERR Dumper($current_plugin); my $current_plugin_id=$current_plugin-id; #print STDERR PluginID='$current_plugin_id'\n; my $database=Bficient::Database-new({_load_default_plugin_database=$current_plugin_id,dbh=$bdbh,lang_id=$self-lang_id}); $db_id=$database-id; } return $db_id; } #sub make_plugin_html #{ #my $self=shift; #my $tt_href=shift; # #my $html=''; # #my $db_id=$self-current_db_id; # #my $tt_file = Bficient::Conf::FRAMEWORK_TOPBAR_TEMPLATE; #$tt_file=~s/\/\//\//; #my $template = Template-new(Bficient::Conf::TT2_CONFIG); #my @[EMAIL PROTECTED]::Plugin-all({dbh=$bdbh})}; ##print STDERR Dumper (@plugins); #my @non_admin=(); #foreach my $plugin (@plugins) #{ #if ($plugin-Name eq Bficient::Conf::ADMIN_PLUGIN_NAME ) #{ #$tt_href-{admin_plugin}=$plugin; #} #else #{ #push @non_admin, $plugin; #} #} # #$tt_href-{r}=$self; #$tt_href-[EMAIL PROTECTED]; #$tt_href-{plugin_count}=scalar(@non_admin); #$tt_href-{current_uri}=$self-uri;; # ##print STDERR tt_VARS=\n; ##print STDERR Dumper(%tt_vars); # #my $tt_out=$self-process_template($tt_file, $tt_href); # #return $tt_out; #} sub user_object { my $self=shift; my $session_id=shift; my $uh; if ($uh) { my $un=$uh-UserName; #print STDERR HERE IS MY UH for '$un'\n; #print STDERR Dumper($uh); print STDERR $lh-maketext(Using Previously Cached user_object for
stopping concurrent logins
i'm sure this is not a novel need, but i have failed to find or come up with just yet any (non-cookie) solution yet. i'm trying dearly to avoid cookies, but if that's the best or only way to do this, feel free to speak up. i'd love to hear from someone who has already tackled the problem of stopping concurrent web logins to a protected web space. realizing that ultimately people can share their username/password to a for-fee protected web site, we would at *least* like to avoid the possibility that two people could both be logged in at the same time from two different computers. the use of IP address doesn't seem adequate since many users come through a router/proxy running NAT. any pointers?
RE: [mp2.0] W2000, Apache 2.0.43 + mod_perl 1.99_09 does not start
Title: RE: [mp2.0] W2000, Apache 2.0.43 + mod_perl 1.99_09 does not start Randy, sorry for the text+html, I am trying to get that changed... -Original Message- From: Randy Kobes [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 03, 2003 17:59 . On Thu, 3 Apr 2003, Melchior, Matthijs wrote: Hello, We have a problem getting mod_perl to run on a W2000 server. It does work on another machine running WinNT4, so I think there are no errors in my configuration files. httpd.conf: 176: LoadModule perl_module modules/mod_perl.so C:\Apache2\bin.\apache -t Syntax error on line 176 of C:/Apache2/conf/httpd.conf: Cannot load C:/Apache2/modules/mod_perl.so into server: The specified procedure could not be found. C:\Apache2\bin If we refer to some other symbol as module descriptor, one that does not exist, the error does not change. We have everything installed from binary packages: . We think there is something missing on the W2000 server, but have run out of idea's what that could be.! Does putting in a directive LoadFile /Path/to/Perl/bin/perl56.dll This was already present, and removing it does not make a difference. in httpd.conf help (before loading mod_perl.so)? Also, when you installed the mod_perl-2 ppm package, did mod_perl.so get copied properly to your Apache modules/ directory? Sometimes this doesn't work for some versions of ppm, and you may unknowlingly be using an old mod_perl.so. If this didn't install correctly, you can extract mod_perl.so from mod_perl-2.tar.gz found in http://theoryx5.uwinnipeg.ca/ppmpackages/x86/ Yes, we know for sure the mod_perl.so file is located in the correct location, experiments have shown there is a different error message when that is not the case [The specified module could not be found.] Unfortunately, even if you get this working, you may encounter problems with mod_perl 2 with ActivePerl 6xx (based on perl-5.6.1), due to some threading issues that have been addressed in ActivePerl 8xx (based on perl-5.8.0). Is it possible to upgrade to ActivePerl 805? This is unfortunate, we are reluctant to upgrade to perl 5.8 before this issue is resolved.[Or is this problem more than a performance problem and is it impossible to get perl56 and mod_perl 2 and apache 2 to work together...?] We have installed the same software on an other W2000 machine and that gives exactly the same results. And, since I have not seen any definite report that someone else is running this combination on W2000, we even think this Apache-mod_perl combination only works on WinNT? Can someone conferm or deny this? -- best regards, randy kobes
checking what values have been set using pnotes/notes
All, Is there a way to work out what values have been set using pnotes/notes, So that a cleanup Handler can dynamically clear the values, rather than only clear ones pre-programmed? Marty
Re: checking what values have been set using pnotes/notes
Martin Moss wrote: All, Is there a way to work out what values have been set using pnotes/notes, So that a cleanup Handler can dynamically clear the values, rather than only clear ones pre-programmed? both notes and pnotes are guaranteed fresh at the start of each request, so there is no need for you to clean them up yourself. --Geoff
RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes
Title: RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes Sebastian, Sooo, it IS possible to get this running on W2000. thanks! Now the big question: what is different between your system and ours...? Do you remember what happened during install, what non-standard files [installed after base W2000] you have on your machine, or any other things that may explain the difference. We can get in touch off-list and exchange more details -Original Message- From: Sebastian Breier [mailto:[EMAIL PROTECTED]] Sent: Friday, April 04, 2003 15:58 To: [EMAIL PROTECTED] Subject: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes Hi. I just upgraded Apache to 2.0.45 (from 2.0.44), and now most of my perl-generated sites crash. They worked perfectly before. Server is Apache 2.0.45 on W2000 + mod_perl-2 1.99_09-dev, as said in the subject. I just checked again with 2.0.44, everything works (nothing changed except Apache). One script still works with 2.0.45, but it has only a few subs that don't do anything. Logs always show some error message like these: [Fri Apr 04 15:49:29 2003] [notice] Parent: child process exited with status 1073807364 -- Restarting. or [Fri Apr 04 15:46:53 2003] [notice] Parent: child process exited with status 3221225477 -- Restarting. Any ideas? Do I need a recompile of mod_perl-2? (I hope somebody makes one, I can't) Thank You, Sebastian. -- If You're European, do something for YOUR civil rights: http://www.stop1984.com Stop software patents in the EU! http://swpat.ffii.org Sorry I cannot help with your Apache 2.0.45 problem, we're not there yet... -- Thanks, Matthijs Melchior.
RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes
At 17:38 04.04.2003, Melchior, Matthijs wrote: Sebastian, Sooo, it IS possible to get this running on W2000. thanks! Of course it's possible... :-P I've been running it for a year now I think... though my main Apache box is WinNT 4 SP6a. Now the big question: what is different between your system and ours...? Do you remember what happened during install, what non-standard files [installed after base W2000] you have on your machine, or any other things that may explain the difference. Nothing special... Win2k Pro SP2, some patches for security... What exactly is your problem with the installation? Mine went through without complaining, and the Apache worked after that. mod_perl-2 is installed over ActivePerl 5.8's PPM shell. No problems anywhere. Just now with 2.0.45. :-) We can get in touch off-list and exchange more details Sure... maybe this annoys the other list-readers... but maybe it's also helpful for others! Bye, Sebastian. -- If You're European, do something for YOUR civil rights: http://www.stop1984.com Stop software patents in the EU! http://swpat.ffii.org
RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes
Title: RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes Sebastian, -Original Message- From: Sebastian Breier [mailto:[EMAIL PROTECTED]] Sent: Friday, April 04, 2003 17:51 At 17:38 04.04.2003, Melchior, Matthijs wrote: Sebastian, Sooo, it IS possible to get this running on W2000. thanks! Of course it's possible... :-P I've been running it for a year now I think... though my main Apache box is WinNT 4 SP6a. Now the big question: what is different between your system and ours...? Do you remember what happened during install, what non-standard files [installed after base W2000] you have on your machine, or any other things that may explain the difference. Nothing special... Win2k Pro SP2, some patches for security... What exactly is your problem with the installation? Mine went through without complaining, and the Apache worked after that. Well, the problem does not occur at installation time, that was without problem. It happens when Apache wants to load mod_perl.so, then it dies with error The specified procedure could not be found. Note, it talks about 'prodedure', not 'module'. To me this means that the loading of the module failed because the dynamic linker [the unix name, dont know the windows term...] cannot resolve a symbol in mod_perl.so or one of the referenced libraries. Unfortunately, windows does not tell me the name of the problematic symbol so I have no idea where to look! mod_perl-2 is installed over ActivePerl 5.8's PPM shell. No problems anywhere. Just now with 2.0.45. :-) We can get in touch off-list and exchange more details Sure... maybe this annoys the other list-readers... but maybe it's also helpful for others! I was thinking about boring details like versions of DLL's in \winnt\system32 and places like that If we can solve this without resorting to that comparation, even better. Bye, Sebastian. -- If You're European, do something for YOUR civil rights: http://www.stop1984.com Stop software patents in the EU! http://swpat.ffii.org -- Thanks, Matthijs Melchior. [can't access this mailbox during the weekend...]
RE: [mp2.0] W2000, Apache 2.0.43 + mod_perl 1.99_09 does not start
On Fri, 4 Apr 2003, Melchior, Matthijs wrote: -Original Message- From: Randy Kobes [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 17:59 On Thu, 3 Apr 2003, Melchior, Matthijs wrote: Hello, We have a problem getting mod_perl to run on a W2000 server. It does work on another machine running WinNT4, so I think there are no errors in my configuration files. httpd.conf: 176: LoadModule perl_module modules/mod_perl.so C:\Apache2\bin.\apache -t Syntax error on line 176 of C:/Apache2/conf/httpd.conf: Cannot load C:/Apache2/modules/mod_perl.so into server: The specified procedure could not be found. . We think there is something missing on the W2000 server, but have run out of idea's what that could be.! Unfortunately, even if you get this working, you may encounter problems with mod_perl 2 with ActivePerl 6xx (based on perl-5.6.1), due to some threading issues that have been addressed in ActivePerl 8xx (based on perl-5.8.0). Is it possible to upgrade to ActivePerl 805? This is unfortunate, we are reluctant to upgrade to perl 5.8 before this issue is resolved.[Or is this problem more than a performance problem and is it impossible to get perl56 and mod_perl 2 and apache 2 to work together...?] We have installed the same software on an other W2000 machine and that gives exactly the same results. And, since I have not seen any definite report that someone else is running this combination on W2000, we even think this Apache-mod_perl combination only works on WinNT? Can someone conferm or deny this? The current mod_perl-2 package we have I did test on a W2000 machine (and XP), with an ActivePerl 6xx build - it worked for some simple things, but seems to run into problems with more complicated stuff (for some definition of more complicated). The fact that you're not even able to start it suggests there may be an incompatibility between your Apache version (or some other library) and the one that the mod_perl-2 package was compiled against, although the versions seemed to match. But before you put in a lot of effort into resolving this, I'd encourage considering an upgrade to ActivePerl 8xx. Upgrading is a major step, but if the main concern is this issue with mod_perl, then an upgrade will definitely help in general - perl-5.8 has improved threading support over perl-5.6.1, among other things, and mod_perl 2 seems to get caught up in some issues with perl-5.6.1 that have been resolved in perl-5.8. A major concern with upgrading though is the availability of ppm packages - ActiveState's 8xx repository isn't as complete as their 6xx one. They're aware of this problem, and are working on an automated build system which hopefully will address this soon. -- best regards, randy
Re: MaxRequestsPerChild; which request am I?
On Thu, Apr 03, 2003 at 11:10:58PM -0800, Bill Moseley wrote: On Fri, 4 Apr 2003, Brian Reichert wrote: Dunno if someone has a good answer, or a suggestion of a better forum for this: Apache has a configuration directive: MaxRequestsPerChild http://httpd.apache.org/docs/mod/core.html#maxrequestsperchild In messing with Apache 1.x, is there a way, via mod-perl, of a request knowing how many requests have been served by the current child? $request++; That's what I do in some handler, and then I log it along with the PID. Eh? I'm confused. What is '$request' in that example? If you mean it's the request object, then that doesn't do what I expect. This code: warn request is [.$r.]\n; yields: request is [Apache::Request=SCALAR(0x862a9ec)] -- Bill Moseley [EMAIL PROTECTED] -- Brian 'you Bastard' Reichert[EMAIL PROTECTED] 37 Crystal Ave. #303Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large
Re: MaxRequestsPerChild; which request am I?
On Fri, 4 Apr 2003, Brian Reichert wrote: In messing with Apache 1.x, is there a way, via mod-perl, of a request knowing how many requests have been served by the current child? $request++; That's what I do in some handler, and then I log it along with the PID. Eh? I'm confused. What is '$request' in that example? If you mean it's the request object, then that doesn't do what I expect. No, it's a simple counter. It's just a variable in some module that counts requests. -- Bill Moseley [EMAIL PROTECTED]
Re: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes
On Fri, 4 Apr 2003, Sebastian Breier wrote: Hi. I just upgraded Apache to 2.0.45 (from 2.0.44), and now most of my perl-generated sites crash. They worked perfectly before. Server is Apache 2.0.45 on W2000 + mod_perl-2 1.99_09-dev, as said in the subject. I just checked again with 2.0.44, everything works (nothing changed except Apache). One script still works with 2.0.45, but it has only a few subs that don't do anything. Logs always show some error message like these: [Fri Apr 04 15:49:29 2003] [notice] Parent: child process exited with status 1073807364 -- Restarting. or [Fri Apr 04 15:46:53 2003] [notice] Parent: child process exited with status 3221225477 -- Restarting. Any ideas? Do I need a recompile of mod_perl-2? (I hope somebody makes one, I can't) From a later message I take it this is with ActivePerl 8xx (perl-5.8.0)? If not, and you're using ActivePerl 6xx, then it may be that you're running into a problem that others have also seen with ActivePerl 6xx and mod_perl 2 on Win32, for which an upgrade to 8xx would most likely help. If this is with ActivePerl 8xx, though, then it may be that there's an incompatibility between modules compiled against Apache 2.0.44 (which the mod_perl ppm package on our site was compiled against) and Apache 2.0.45. The Apache group says that, starting with 2.0.42, they're working at maintaining configuration and module interface compatibility, so in principle upgrading from 2.0.44 to 2.0.45 shouldn't be a problem. But with a combination of Win32 and the relative complexity of mod_perl 2, this compatibility may not have survived I've tried compiling the current cvs mod_perl 2 sources against Apache 2.0.45, but have run into a problem (unrelated to the 2.0.45 upgrade) that hasn't yet been resolved. Given the security fixes for Win32 present in 2.0.45, if you feel uneasy about reverting to 2.0.44, I could make available a mod_perl 2 package based on not-so-current cvs sources compiled against 2.0.45 until the problem in the current cvs version is fixed. -- best regards, randy kobes
Re: MaxRequestsPerChild; which request am I?
$request++; That's what I do in some handler, and then I log it along with the PID. Eh? I'm confused. What is '$request' in that example? If you mean it's the request object, then that doesn't do what I expect. This code: warn request is [.$r.]\n; yields: request is [Apache::Request=SCALAR(0x862a9ec)] I am pretty sure what he is proposing as a solution (something which I have also done): Set a normal var to 0 (say in a PerlChildInitHandler) Then in the PerlHandler increment the normal var $phase = $r-current_callback; if ($phase eq 'PerlChildInitHandler') { $reqCtr = 0; } if ($phase eq 'PerlHandler') { $reqCtr++; } Or, you could use a note and skip the global scalar. I don't think mod_perl has direct access to the current count (at least not in mp1). Matt
Re: MaxRequestsPerChild; which request am I?
On Fri, Apr 04, 2003 at 08:38:53AM -0800, Bill Moseley wrote: On Fri, 4 Apr 2003, Brian Reichert wrote: Eh? I'm confused. What is '$request' in that example? If you mean it's the request object, then that doesn't do what I expect. No, it's a simple counter. It's just a variable in some module that counts requests. Ah! you're maintaining your own counter; I see. I was looking for this element of Apache's own bookkeeping to be exposed; I suppose I should have been more specific. So, not that Bill's solution is unusable to me, let me ask my question a bit more specifically: Deep in the guts of http_main.c of Apache's source, I see code like this: void worker_main(void) { ... int total_jobs = 0; ... if (max_jobs_per_exe (total_jobs max_jobs_per_exe)) { /* Reached MaxRequestsPerChild. Stop accepting new connections * and signal the parent to start a new child process. */ ap_start_restart(1); break; } Is this 'total_jobs' exposed somehow via an Apache object? Or do I need to maintain my own counter, as per Bill's solution? -- Bill Moseley [EMAIL PROTECTED] -- Brian 'you Bastard' Reichert[EMAIL PROTECTED] 37 Crystal Ave. #303Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large
Re: MaxRequestsPerChild; which request am I?
Brian Reichert wrote: Is this 'total_jobs' exposed somehow via an Apache object? The documentation for the Apache module doesn't say anything about it, so I think you have your answer. We just use a global for this in Apache::SizeLimit. - Perrin
Re: stopping concurrent logins
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 03 April 2003 20:33, Perrin Harkins wrote: Of course you could also just totally prevent people from logging in again if there is already an active session for that user, but that will cause problems because your sessions will not get invalidated if a user shuts down his browser or crashes his machine. We did just this on our secure server. My boss was worried our customers might share their login accounts (for which they had to pay), so we set up the login authentication so, that only one session could be logged in at any given time. The sessions timed out in a couple of hours, so losing the cookie would not cause permanent loss of access. We later added a button to log out other sessions, if correct user name and password was given for an already open account. After which the user had to login again. The user authentication information was stored into a cookie. The cookie was stored also on the server. Each time the user accessed the secure server, his cookie was verified against the one stored on the server (plus, of course, verifying that the cookie was valid and authorised to access whatever resource he was trying to access). If the cookie matched the one stored on the server, access was granted. If, however, the cookie did not match, the server immediately expired the user cookie and presented a login screen. If he was able to log in, the button to log out the other session would appear, but no cookie was sent to the user, meaning he would need to provide the authentication credentials again. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+jdRrWD8Ca88cV68RAh0CAKCJDGoh0hf864clmwzamz4gChmhsQCfZua1 fLXzhdGbdgzN5zd11LtSHeQ= =2/M8 -END PGP SIGNATURE-
Re: stopping concurrent logins
On Fri, Apr 04, 2003 at 03:34:25PM +0200, Frank Maas wrote: You can set a session (see Apache::Session and related modules) that can use the uri as session-container as well (eg http://www.example.com/9o79876a98d7fa98d7/path/to/doc). The session part (9o79876a98d7fa98d7) can be stored in a database. Success. Technically, that doesn't solve the problem either. Since the session information is in the URL, there is nothing to stop the user from IM that URL to their friend, who then has total access, without a cookie, just by using the current users session. I must not fully understand the taboo against using cookies. It's rare that an online application, e-commerce related or otherwise, works without cookies. If you're doing anything more than browsing static data, you'll quickly become fustrated at the lack of support for non-cookie-enabled browers. Anytime web based authentication is used, people are going to need cookies. Maintaining state and security within a stateless medium is almost impossible without cookies, in my experience. I've heard of, but never seen, authentication using java or flash that maintains a persistent connection in the background using sockets to the web server. This basically registers the user's IP address with the system, and all users with that IP are considered authenticated. I'm sure more complicated solutions exist. Sorry I don't have a solution to your problem. But perhaps the problem is the requirement to not use cookies... :) Good luck, Rob --Frank -- Robert Landrum Systems Programmer
Re: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes
At 18:35 04.04.2003, Randy Kobes wrote: If this is with ActivePerl 8xx, though, then it may be that there's an incompatibility between modules compiled against Apache 2.0.44 (which the mod_perl ppm package on our site was compiled against) and Apache 2.0.45. The Apache group says that, starting with 2.0.42, they're working at maintaining configuration and module interface compatibility, so in principle upgrading from 2.0.44 to 2.0.45 shouldn't be a problem. But with a combination of Win32 and the relative complexity of mod_perl 2, this compatibility may not have survived I've tried compiling the current cvs mod_perl 2 sources against Apache 2.0.45, but have run into a problem (unrelated to the 2.0.45 upgrade) that hasn't yet been resolved. Given the security fixes for Win32 present in 2.0.45, if you feel uneasy about reverting to 2.0.44, I could make available a mod_perl 2 package based on not-so-current cvs sources compiled against 2.0.45 until the problem in the current cvs version is fixed. Yes, It's ActivePerl 5.8.0.805. About the mod_perl-2 recompile: It's not necessary for me. Thank You for the offer, but this machine is a private one anyway, and I can stay on 2.0.44 until the fixed CVS is there and compiled. I guess You'll drop a message here when that happens? :-) Thank You, Sebastian. -- If You're European, do something for YOUR civil rights: http://www.stop1984.com Stop software patents in the EU! http://swpat.ffii.org
RE: stopping concurrent logins
On Fri, Apr 04, 2003 at 03:34:25PM +0200, Frank Maas wrote: You can set a session (see Apache::Session and related modules) that can use the uri as session-container as well (eg http://www.example.com/9o79876a98d7fa98d7/path/to/doc). The session part (9o79876a98d7fa98d7) can be stored in a database. Success. Technically, that doesn't solve the problem either. Since the session information is in the URL, there is nothing to stop the user from IM that URL to their friend, who then has total access, without a cookie, just by using the current users session. I must not fully understand the taboo against using cookies. It's rare that an online application, e-commerce related or otherwise, works without cookies. If you're doing anything more than browsing static data, you'll quickly become fustrated at the lack of support for non-cookie-enabled browers. On the latter I totally agree. To avoid the session snatching you describe, you can store IP addresses on your site in the database. You won't solve proxyserver-problems with this though. So what about the following approach: * a user logs on and you issue a session, as part of the uri * when the user requests another page, you fetch the session from the uri, check it against your database and (let's assume it's correct) you allow access but while issueing a new session If this works (and as some people consequently add 'untested') then session snatching becomes a hell of a job. If one user logs in, and the other copies the session and retrieves a page, the session changes, so the first user has to copy the new session again. Sounds promising But to return to my first phrase: with cookies it's much more simple. --Frank PS: What I never got though... how 'bout stealing cookies from someones system?
RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes
At 18:14 04.04.2003, Melchior, Matthijs wrote: Well, the problem does not occur at installation time, that was without problem. It happens when Apache wants to load mod_perl.so, then it dies with error The specified procedure could not be found. Note, it talks about 'prodedure', not 'module'. To me this means that the loading of the module failed because the dynamic linker [the unix name, dont know the windows term...] cannot resolve a symbol in mod_perl.so or one of the referenced libraries. Unfortunately, windows does not tell me the name of the problematic symbol so I have no idea where to look! How exactly do you install Apache and mod_perl-2? My install/upgrade process is this: - Install Apache via MSI file - Open ActivePerl's PPM - Add mod_perl-2 PPM repository ( http://theoryx5.uwinnipeg.ca/cgi-bin/ppmserver?urn:/PPMServer58 ActivePerl 5.8 only) - install mod_perl from that repository, the PPM package installation will place the mod_perl.so file in the correct Apache directory. My first guess is that you are using a wrong version of mod_perl... maybe you are trying to use mod_perl-1 with Apache 2? Or maybe just an outdated mod_perl-2 with Apache 2? The way I described above works perfectly for 2.0.43 and 2.0.44... Another thing might be the config file. My current lines for mod_perl-2 in httpd.conf: Loadmodule perl_module modules/mod_perl.so (Then some handlers for my directories so .pl files get executed with mod_perl, but these only matter when you can start Apache/mod_perl at all) PerlSwitches -Mblib=C:\Apache2 PerlRequire C:/Apache2/conf/startup.pl PerlModule Apache::Reload PerlInitHandler Apache::Reload Maybe some of the rather important settings for mod_perl-2 are wrong in your config... I was thinking about boring details like versions of DLL's in \winnt\system32 and places like that If we can solve this without resorting to that comparation, even better. No idea about those, but Apache is probably away far enough from the OS to not be dependent on Win32 System DLLs... Bye, Sebastian. -- If You're European, do something for YOUR civil rights: http://www.stop1984.com Stop software patents in the EU! http://swpat.ffii.org
Re: stopping concurrent logins
On Fri, Apr 04, 2003 at 10:13:59PM +0200, Frank Maas wrote: On the latter I totally agree. To avoid the session snatching you describe, you can store IP addresses on your site in the database. You won't solve proxyserver-problems with this though. So what about the following approach: * a user logs on and you issue a session, as part of the uri * when the user requests another page, you fetch the session from the uri, check it against your database and (let's assume it's correct) you allow access but while issueing a new session Interesting idea. I assume that you're keeping the session key/ID in the URL, right? Does it break if someone hits back (and goes to a page that's full of URLs with on old session ID in them) and then clicks on one of them? -Andy
Apache::AuthTicket lookalike for DBM files
I am looking for a mod_perl implementation of mod_auth_dbm that takes cookies instead of HTTP-AUTH Basic. Or perl implementation of mod_auth_cookie, perhaps (I think mod_auth_cookie does exactly that). I was sure I would find it in CPAN, and, sure enough, AuthTicket and others are there, offering far more than I was expecting... But I could not find one that deals with NDBM files. A search for Apache::Auth* is not returning likely candidates. Unless there is a DBI/DBD driver that would allow using NDBM files with AuthTicket? There doesn't seem to be any :( I am tempted to add NDBM support to AuthTicket but I am 99.9% certain that there _has_ to be a module providing the functionality I am thinking of. Just to clarify, I don't need the 'ticket' mechanism, just cookie-based auth against DBM files, with the same options that mod_auth_dbm offers. Oh, and lazyness is one of my virtues ;) cheers, martin --
RE: stopping concurrent logins
On Fri, Apr 04, 2003 at 10:13:59PM +0200, Frank Maas wrote: On the latter I totally agree. To avoid the session snatching you describe, you can store IP addresses on your site in the database. You won't solve proxyserver-problems with this though. So what about the following approach: * a user logs on and you issue a session, as part of the uri * when the user requests another page, you fetch the session from the uri, check it against your database and (let's assume it's correct) you allow access but while issueing a new session Interesting idea. I assume that you're keeping the session key/ID in the URL, right? Does it break if someone hits back (and goes to a page that's full of URLs with on old session ID in them) and then clicks on one of them? Yep. I think that the back-button is out of the question in such a solution. Of course one could think of yet another scheme that makes it possible to use the back-button. But a more simple solution is to create a back-link on the page. --Frank
Convert Cookies--HTTP Request Headers?
Title: Convert Cookies--HTTP Request Headers? I have a unique need purely for testing purposes. I'm not very familiar (yet) with mod_perl handlers in Apache, so I've had a rough time getting anything going. Here is my goal: For every request to Apache: 1. Parse the cookie coming in via the request header 2. Pull out each value (ex: NAME=bob;TITLE=boss) 3. Convert them to HTTP Request Headers 4. Pass the request on to the requested resource (a script of some sort) So, if I have a cookie like: NAME=bob;TITLE=boss My program would then see the following headers in the request: HTTP_NAME=bob HTTP_TITLE=boss This will help me simulate a Single-Sign-On situation where the authentication handler passes all authenticated user information to the resource via headers. Can anyone help me by either: 1. Giving an outline of what handlers I would want to use, and how I can write request headers with them or 2. Writing some sample code :) NOTES: 1. I'm running Apache 2.0 and mod_perl 2 right now, but I can bump it down if required 2. I've already used mod_headers to simulate this, but unfortunately that isn't dynamic enough for testing, ie, I need to change httpd.conf and re-start the server to test different header scenarios. Thanks! Matt Kruse
RE: stopping concurrent logins
Robert, When I was designing the security for a perl/cgi system I spent a lot of time on the cookie issue. I don't have any problem myself with servers putting cookies on my machine. The subject happened to come up with one of the guys that works on the LAN at a customer of ours. He is violently against cookies. He is a technical person and works on computers but has this extreme aversion to people tracking what he is doing. I think it's more of a baseless fear of the unknown myself. Anyway, upon further investigation into this, some of the docs I read indicated cookies aren't all that reliable and will get lost if there are too many of them or the data gets too large. Apparently, the spec allows the browser to toss the data if it wants. So, I ended up using hidden variables. It is a bit of a chore, but I have never encountered an objection from a user or a session getting dropped because the data got lost. It certainly avoids the potential controversy that may come up over cookies. Chuck -Original Message- From: Robert Landrum [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 11:53 AM To: [EMAIL PROTECTED] Subject: Re: stopping concurrent logins On Fri, Apr 04, 2003 at 03:34:25PM +0200, Frank Maas wrote: You can set a session (see Apache::Session and related modules) that can use the uri as session-container as well (eg http://www.example.com/9o79876a98d7fa98d7/path/to/doc). The session part (9o79876a98d7fa98d7) can be stored in a database. Success. Technically, that doesn't solve the problem either. Since the session information is in the URL, there is nothing to stop the user from IM that URL to their friend, who then has total access, without a cookie, just by using the current users session. I must not fully understand the taboo against using cookies. It's rare that an online application, e-commerce related or otherwise, works without cookies. If you're doing anything more than browsing static data, you'll quickly become fustrated at the lack of support for non-cookie-enabled browers. Anytime web based authentication is used, people are going to need cookies. Maintaining state and security within a stateless medium is almost impossible without cookies, in my experience. I've heard of, but never seen, authentication using java or flash that maintains a persistent connection in the background using sockets to the web server. This basically registers the user's IP address with the system, and all users with that IP are considered authenticated. I'm sure more complicated solutions exist. Sorry I don't have a solution to your problem. But perhaps the problem is the requirement to not use cookies... :) Good luck, Rob --Frank -- Robert Landrum Systems Programmer
AuthDBI fix for MSWin32
I'm tired of disabling IPC::SysV in AuthDBI.pm for every update. Please check some fix like this in. no strict in the child handlers cannot be evaluated at run-time but is needed for Win32. Better ways? Tested with Randy Cobes mod_perl binary for Win32. Active Perl 633, v5.6.1 built for MSWin32-x86-multi-thread PS: I'm not subscribed to this list. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ --- Apache-DBI-0.91/Changes~2003-02-17 14:02:27.0 +0100 +++ Apache-DBI-0.91/Changes 2003-04-02 11:16:24.0 +0200 @@ -1,5 +1,8 @@ Revision history for ApacheDBI. +0.91_01 April 2, 2003 + - MSWin32 fix: disable IPC::SysV + 0.91February 17, 2003 - Retagged and released the 0.90_02 beta as 0.91. No code changes. --- Apache-DBI-0.91/AuthDBI.pm~ 2003-02-17 14:00:12.0 +0100 +++ Apache-DBI-0.91/AuthDBI.pm 2003-04-02 11:15:12.0 +0200 @@ -3,7 +3,10 @@ use Apache (); use Apache::Constants qw( OK AUTH_REQUIRED FORBIDDEN DECLINED SERVER_ERROR ); use DBI (); -use IPC::SysV qw( IPC_CREAT IPC_RMID S_IRUSR S_IWUSR ); +if ($^O ne 'MSWin32') { + require IPC::SysV; + import IPC::SysV qw( IPC_CREAT IPC_RMID S_IRUSR S_IWUSR ); +} use strict; # $Id: AuthDBI.pm,v 1.3 2003/02/17 13:00:12 ask Exp $ @@ -644,6 +647,7 @@ # Note: this handler runs in every child server, but not in the main server. sub childinit { +no strict; # for $^O eq 'MSWin32' only my $prefix = $$ Apache::AuthDBI PerlChildInitHandler; # create (or re-use existing) semaphore set $SEMID = semget($SHMKEY, 1, IPC_CREAT|S_IRUSR|S_IWUSR); @@ -685,6 +689,7 @@ # Note: this handler runs in every child server, but not in the main server. sub childexit { +no strict; # for $^O eq 'MSWin32' only my $prefix = $$ Apache::AuthDBI PerlChildExitHandler; # read Cache from shared memory, decrement child count and exit or write Cache to shared memory semop($SEMID, $obtain_lock) or print STDERR $prefix semop failed \n;
Apache::ASP Configuration
Hi, I just installed mod_perl and Apache::ASP on my computer and I was wondering if you could tell me how to configure my Apache httpd.conf file to make ASP pages work. I tried adding in the lines from the website for configuration and then I restarted Apache. All I get is the html, but none of my ASP is working and Im just trying to get it to print out a message. Your help would be greatly appreciated.
BUG [in docs] mailing list subscription does not actually indicatelist post address
http://perl.apache.org/maillist/email-etiquette.html Posting to the list is just sending a message to the address which you will be given after you subscribe. The above should either be updated, or the welcome message should be updated. I've just subscribed to the digest version, and the welcome message didn't actually indicate the list post address. Assuming the usual conventions apply, I assume I'm sending to the correct address. Someone new to mailing lists might not be able to guess correctly. -matt (who is soon unsubscribing. Thanks for your time :)
Re: Apache::ASP Configuration
Quan Mac wrote: Hi, I just installed mod_perl and Apache::ASP on my computer and I was wondering if you could tell me how to configure my Apache httpd.conf file to make ASP pages work. I tried adding in the lines from the website for configuration and then I restarted Apache. All I get is the html, but none of my ASP is working and Im just trying to get it to print out a message. Your help would be greatly appreciated. Please see: http://www.apache-asp.org/install.html#Quick%20Start For more questions about Apache::ASP, please get on the mailing list at [EMAIL PROTECTED] Regards, Josh Josh Chamas, Founder phone:925-552-0128 Chamas Enterprises Inc.http://www.chamas.com NodeWorks Link Checkinghttp://www.nodeworks.com
[mp2] Content-Type not being set as expected
mp2 Guys, I am getting xml (seemingly) instead of html 3.2 out of Apache2/ModPerl::Registry/CGI.pm. I'm setting content type in my code like this: use CGI qw/:standard :html3/; ... print header(-type='text/html'); Has some default changed or a switch I need to set. Netscape 7.02 is barfing on this style of code. MSIE 5.5 and NN 4.79 work fine with it. I'm getting this: ?xml version=1.0 encoding=iso-8859-1? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; lang=en-US I'm expecting this: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN HTMLHEAD ... Conf file: Location /perl SetHandler perl-script PerlResponseHandler ModPerl::Registry Options +ExecCGI PerlOptions +ParseHeaders /Location Thanks in advance Chuck
Re: Convert Cookies--HTTP Request Headers?
On Fri, Apr 04, 2003 at 04:10:03PM -0500, Kruse, Matt wrote: I have a unique need purely for testing purposes. I'm not very familiar (yet) with mod_perl handlers in Apache, so I've had a rough time getting anything going. Here is my goal: For every request to Apache: 1. Parse the cookie coming in via the request header 2. Pull out each value (ex: NAME=bob;TITLE=boss) 3. Convert them to HTTP Request Headers Ok, I'm confused: the cookies are already in the request header, and you want to 'convert' them into a request header? 4. Pass the request on to the requested resource (a script of some sort) So, if I have a cookie like: NAME=bob;TITLE=boss My program would then see the following headers in the request: HTTP_NAME=bob HTTP_TITLE=boss If you're using an Apache handler, see Apache::Cookie for unpeeling cookies. If you're running a classic CGI program, see CGI::Cookie for unpeeling cookies. This will help me simulate a Single-Sign-On situation where the authentication handler passes all authenticated user information to the resource via headers. When you say 'HTTP request headers', did you really mean to say 'CGI parameters', as the CGI module uses the term? Thanks! Matt Kruse -- Brian 'you Bastard' Reichert[EMAIL PROTECTED] 37 Crystal Ave. #303Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large