Subclassed Apache::Request Objects and their creation/destruction

[Martin Moss]

All,I'm 
looking for some help with understanding how the Apache::Request objectsare 
created and destroyed.I have the following params set in my 
httpd.confKeepAlive OffPerlChildInitHandler 
Bficient::Apache::DBloadWhich as I understand it should mean that an 
apache::Request object iscreated for each request, and is destroyed at the 
end of a request.So if I add 'CREATION and DESTROY' warnings to my 
Apache::Request code tolog when a request is being created and destroyed I 
should see the objectsbeing created and destroyed as they are 
used.This would lead me to believe that when I stop apache, the only 
DESTROYmessages I should see are those belonging to the childInitHandler, 
e.g. Ishould see my database handles being destroyed.I'm just trying 
to get an understanding of what 'should' happen, so that Ican work out If I 
have a problem with my code.I have subclassed Apache::Request and I'm 
seeing my subclassedApache::Request objects being'DESTROYED' under an 
apache stop. AS WELL as after the Request completes,e.g.after the 
request completes I see this:-$VAR1 = bless( 
{ 
'r' = bless( do{\(my $o = 145326836)}, 'Apache::Request' 
) 
}, 'Bficient::Apache::Request' );DESTROYING 
Bficient::Apache::RequestBut when I stop apache I see 
this:-$VAR1 = bless( 
{ 
'r' = 
undef 
}, 'Bficient::Apache::Request' );DESTROYING 
Bficient::Apache::RequestThis doesn't look 'right', but I'm not 
sure.Attached is my Bficient::Apache::Request object, If that 
helps.Any help, or pointers would be greatly appreciated,kind 
regardsMarty
#
#Module to sublass Apache to provide Custom Authorisation mechanisms
#Using the Apache::Session objects for each user.
#

package Bficient::Apache::Request;

use Bficient::Conf;
use lib qw(Bficient::Conf::PERL_LIB_DIR);
use Apache::Constants qw(OK REDIRECT SERVER_ERROR DECLINED FORBIDDEN);
use Apache::Cookie;
use Carp;
use Apache::Reload;
use Apache::Request;
use Bficient::Maketext;
use Data::Dumper;
use base 'Exporter';
use Bficient::DBI;
use Bficient::Apache::DBload qw($bdbh);

use MIME::Base64 qw(encode_base64 decode_base64);

use strict;

@Bficient::Apache::Request::ISA = qw(Apache::Request);
my $lh;


sub new 
{

  my ($class, $r) = @_;

  #unless ($r)
  #{
#print STDERR making a new Request object\n;
#$r = Apache::Request-new;
  #}


  my $self = bless {r = Apache::Request-new($r)}, $class;

  my @params=$self-param();
  print STDERR Here's the Parameters for $class\n;
  print STDERR Dumper(@params);
  my $lang_id=$self-param('lang_id');
  if ($lang_id)
  {
#print STDERR Using language_id of $lang_id\n;
$lh=Bficient::Maketext-get_handle($class,$lang_id);
  }
  else
  {
#print STDERR Using Default language_id of 
Bficient::Conf::DEFAULT_LANGUAGE_ID\nXX\n;
$lh=Bficient::Maketext-get_handle($class,Bficient::Conf::DEFAULT_LANGUAGE_ID);
  }

  #print STDERR Creating .ref($self).\n;
  #$self-interpret_uri;
  return $self;
}

sub DESTROY
{
  my $self=shift;
  print STDERR Dumper($self);
  print STDERR DESTROYING .ref($self).\n;
  #$self-SUPER-DESTROY();
}

sub current_db_id
{
  my $self=shift;
  my $db_id;
  if($self-param('db_id'))
  {
$db_id=$self-param('db_id');
die $self-lh-maketext(Empty database ID string Used in Parameters\n) unless 
$db_id;
  }
  else
  {
my $current_plugin=$self-current_plugin;
#print STDERR Dumper($current_plugin);
my $current_plugin_id=$current_plugin-id;
#print STDERR PluginID='$current_plugin_id'\n;
my 
$database=Bficient::Database-new({_load_default_plugin_database=$current_plugin_id,dbh=$bdbh,lang_id=$self-lang_id});
$db_id=$database-id;
  }

  return $db_id;
}

#sub make_plugin_html
#{
  #my $self=shift;
  #my $tt_href=shift;
#
  #my $html='';
#
  #my $db_id=$self-current_db_id;
  #
  #my $tt_file = Bficient::Conf::FRAMEWORK_TOPBAR_TEMPLATE;
  #$tt_file=~s/\/\//\//;
  #my $template = Template-new(Bficient::Conf::TT2_CONFIG);
  #my @[EMAIL PROTECTED]::Plugin-all({dbh=$bdbh})};
  ##print STDERR Dumper (@plugins);
  #my @non_admin=();
  #foreach my $plugin (@plugins)
  #{
#if ($plugin-Name eq Bficient::Conf::ADMIN_PLUGIN_NAME )
#{
  #$tt_href-{admin_plugin}=$plugin;
#}
#else
#{
  #push @non_admin, $plugin;
#}
  #}
#
  #$tt_href-{r}=$self;
  #$tt_href-[EMAIL PROTECTED];
  #$tt_href-{plugin_count}=scalar(@non_admin);
  #$tt_href-{current_uri}=$self-uri;;
#
  ##print STDERR tt_VARS=\n;
  ##print STDERR Dumper(%tt_vars);
#
  #my $tt_out=$self-process_template($tt_file, $tt_href);
#
  #return $tt_out;
#}

sub user_object
{
  my $self=shift;
  my $session_id=shift;

  my $uh;
  if ($uh)
  {
my $un=$uh-UserName;
#print STDERR HERE IS MY UH for '$un'\n;
#print STDERR Dumper($uh);
print STDERR $lh-maketext(Using Previously Cached user_object for 

stopping concurrent logins

[Todd White]

i'm sure this is not a novel need, but i have failed to find or come up
with just yet any (non-cookie) solution yet.  i'm trying dearly to avoid
cookies, but if that's the best or only way to do this, feel free to speak
up.  i'd love to hear from someone who has already tackled the problem of
stopping concurrent web logins to a protected web space.

realizing that ultimately people can share their username/password to a
for-fee protected web site, we would at *least* like to avoid the
possibility that two people could both be logged in at the same time from
two different computers.  the use of IP address doesn't seem adequate
since many users come through a router/proxy running NAT.

any pointers?

RE: [mp2.0] W2000, Apache 2.0.43 + mod_perl 1.99_09 does not start

[Melchior, Matthijs]

Title: RE: [mp2.0] W2000, Apache 2.0.43 + mod_perl 1.99_09 does not start





Randy,
 sorry for the text+html, I am trying to get that changed...


 -Original Message-
 From: Randy Kobes [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, April 03, 2003 17:59
.
 
 On Thu, 3 Apr 2003, Melchior, Matthijs wrote:
 
  Hello,
   We have a problem getting mod_perl to run on a W2000 server.
  It does work on another machine running WinNT4, so I think there are
  no errors in my configuration files.
  
  httpd.conf:
  176: LoadModule perl_module modules/mod_perl.so
  
  C:\Apache2\bin.\apache -t
  Syntax error on line 176 of C:/Apache2/conf/httpd.conf:
  Cannot load C:/Apache2/modules/mod_perl.so into server:
  The specified procedure could not be found.
   
  C:\Apache2\bin
  
  If we refer to some other symbol as module descriptor,
  one that does not exist, the error does not change.
  
  We have everything installed from binary packages:
.
 
  We think there is something missing on the W2000 server, but have run
  out of idea's what that could be.!
 
 Does putting in a directive
 LoadFile /Path/to/Perl/bin/perl56.dll


This was already present, and removing it does not make a difference.


 in httpd.conf help (before loading mod_perl.so)? Also, when you
 installed the mod_perl-2 ppm package, did mod_perl.so get copied
 properly to your Apache modules/ directory? Sometimes this
 doesn't work for some versions of ppm, and you may unknowlingly
 be using an old mod_perl.so. If this didn't install correctly, 
 you can extract mod_perl.so from mod_perl-2.tar.gz found in
 http://theoryx5.uwinnipeg.ca/ppmpackages/x86/


Yes, we know for sure the mod_perl.so file is located in the correct
location, experiments have shown there is a different error message
when that is not the case [The specified module could not be found.]



 Unfortunately, even if you get this working, you may encounter
 problems with mod_perl 2 with ActivePerl 6xx (based on
 perl-5.6.1), due to some threading issues that have been
 addressed in ActivePerl 8xx (based on perl-5.8.0). Is it possible
 to upgrade to ActivePerl 805?


This is unfortunate, we are reluctant to upgrade to perl 5.8 before
this issue is resolved.[Or is this problem more than a
performance problem and is it impossible to get perl56 and mod_perl 2
and apache 2 to work together...?]


We have installed the same software on an other W2000 machine and
that gives exactly the same results.
And, since I have not seen any definite report that someone else
is running this combination on W2000, we even think this Apache-mod_perl
combination only works on WinNT?
  Can someone conferm or deny this?



-- 
best regards,
randy kobes

checking what values have been set using pnotes/notes

[Martin Moss]

All,

Is there a way to work out what values have been 
set using pnotes/notes, So that a cleanup Handler 
can dynamically clear the values, rather than only clear ones 
pre-programmed?

Marty

Re: checking what values have been set using pnotes/notes

[Geoffrey Young]

Martin Moss wrote:
All,
 
Is there a way to work out what values have been set using pnotes/notes, 
So that a cleanup Handler can dynamically clear the values, rather than 
only clear ones pre-programmed?
both notes and pnotes are guaranteed fresh at the start of each request, so 
there is no need for you to clean them up yourself.

--Geoff

RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes

[Melchior, Matthijs]

Title: RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes





Sebastian,
 Sooo, it IS possible to get this running on W2000.
thanks!


Now the big question: what is different between your system
and ours...?


Do you remember what happened during install,
what non-standard files [installed after base W2000] you have
on your machine, or any other things that may explain the difference.


We can get in touch off-list and exchange more details



 -Original Message-
 From: Sebastian Breier [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 04, 2003 15:58
 To: [EMAIL PROTECTED]
 Subject: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes
 
 
 Hi.
 
 I just upgraded Apache to 2.0.45 (from 2.0.44),
 and now most of my perl-generated sites crash.
 They worked perfectly before.
 
 Server is Apache 2.0.45 on W2000 + mod_perl-2 1.99_09-dev,
 as said in the subject.
 
 I just checked again with 2.0.44, everything works
 (nothing changed except Apache).
 
 One script still works with 2.0.45, but it has only a few 
 subs that don't do anything.
 
 Logs always show some error message like these:
 
 [Fri Apr 04 15:49:29 2003] [notice] Parent: child process exited with 
 status 1073807364 -- Restarting.
 
 or
 
 [Fri Apr 04 15:46:53 2003] [notice] Parent: child process exited with 
 status 3221225477 -- Restarting.
 
 Any ideas? Do I need a recompile of mod_perl-2? (I hope 
 somebody makes one, I can't)
 
 Thank You,
 Sebastian.
 
 -- 
 If You're European, do something for YOUR civil rights: 
 http://www.stop1984.com
 Stop software patents in the EU! http://swpat.ffii.org 



Sorry I cannot help with your Apache 2.0.45 problem,
we're not there yet...


-- 
Thanks,
 Matthijs Melchior.

RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes

[Sebastian Breier]

At 17:38 04.04.2003, Melchior, Matthijs wrote:

Sebastian,
Sooo, it IS possible to get this running on W2000.
thanks!
Of course it's possible... :-P
I've been running it for a year now I think... though my main Apache box is 
WinNT 4 SP6a.

Now the big question: what is different between your system
and ours...?
Do you remember what happened during install,
what non-standard files [installed after base W2000] you have
on your machine, or any other things that may explain the difference.
Nothing special... Win2k Pro SP2, some patches for security...

What exactly is your problem with the installation?
Mine went through without complaining, and the Apache worked after that.
mod_perl-2 is installed over ActivePerl 5.8's PPM shell.
No problems anywhere. Just now with 2.0.45. :-)

We can get in touch off-list and exchange more details
Sure... maybe this annoys the other list-readers...
but maybe it's also helpful for others!
Bye,
Sebastian.
--
If You're European, do something for YOUR civil rights: http://www.stop1984.com
Stop software patents in the EU! http://swpat.ffii.org 

RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes

[Melchior, Matthijs]

Title: RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes





Sebastian,


 -Original Message-
 From: Sebastian Breier [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 04, 2003 17:51

 
 At 17:38 04.04.2003, Melchior, Matthijs wrote:
 
 Sebastian,
  Sooo, it IS possible to get this running on W2000.
 thanks!
 
 Of course it's possible... :-P
 I've been running it for a year now I think... though my main 
 Apache box is WinNT 4 SP6a.
 
 Now the big question: what is different between your system
 and ours...?
 
 Do you remember what happened during install,
 what non-standard files [installed after base W2000] you have
 on your machine, or any other things that may explain the difference.
 
 Nothing special... Win2k Pro SP2, some patches for security...
 
 What exactly is your problem with the installation?
 Mine went through without complaining, and the Apache worked 
 after that.


Well, the problem does not occur at installation time, that was
without problem. It happens when Apache wants to load mod_perl.so,
then it dies with error The specified procedure could not be found.
Note, it talks about 'prodedure', not 'module'. To me this
means that the loading of the module failed because the
dynamic linker [the unix name, dont know the windows term...]
cannot resolve a symbol in mod_perl.so or one of the referenced
libraries. Unfortunately, windows does not tell me the name of
the problematic symbol so I have no idea where to look!



 mod_perl-2 is installed over ActivePerl 5.8's PPM shell.
 
 No problems anywhere. Just now with 2.0.45. :-)
 
 We can get in touch off-list and exchange more details
 
 Sure... maybe this annoys the other list-readers...
 but maybe it's also helpful for others!


I was thinking about boring details like versions of DLL's in
\winnt\system32 and places like that If we can solve this
without resorting to that comparation, even better.


 
 Bye,
 Sebastian.
 
 -- 
 If You're European, do something for YOUR civil rights: 
 http://www.stop1984.com
 Stop software patents in the EU! http://swpat.ffii.org 



-- 
Thanks,
 Matthijs Melchior.


[can't access this mailbox during the weekend...]

RE: [mp2.0] W2000, Apache 2.0.43 + mod_perl 1.99_09 does not start

[Randy Kobes]

On Fri, 4 Apr 2003, Melchior, Matthijs wrote:

  -Original Message-
  From: Randy Kobes [mailto:[EMAIL PROTECTED]
  Sent: Thursday, April 03, 2003 17:59
  
  On Thu, 3 Apr 2003, Melchior, Matthijs wrote:
  
   Hello,
 We have a problem getting mod_perl to run on a W2000 server.
   It does work on another machine running WinNT4, so I think there are
   no errors in my configuration files.
   
   httpd.conf:
   176: LoadModule perl_module modules/mod_perl.so
   
   C:\Apache2\bin.\apache -t
   Syntax error on line 176 of C:/Apache2/conf/httpd.conf:
   Cannot load C:/Apache2/modules/mod_perl.so into server:
The specified procedure could not be found.
 .
  
   We think there is something missing on the W2000 server, but have run
   out of idea's what that could be.!
  
  Unfortunately, even if you get this working, you may encounter
  problems with mod_perl 2 with ActivePerl 6xx (based on
  perl-5.6.1), due to some threading issues that have been
  addressed in ActivePerl 8xx (based on perl-5.8.0). Is it possible
  to upgrade to ActivePerl 805?
 
 This is unfortunate, we are reluctant to upgrade to perl 5.8 before
 this issue is resolved.[Or is this problem more than a
 performance problem and is it impossible to get perl56 and mod_perl 2
 and apache 2 to work together...?]
 
 We have installed the same software on an other W2000 machine and
 that gives exactly the same results.
 And, since I have not seen any definite report that someone else
 is running this combination on W2000, we even think this Apache-mod_perl
 combination only works on WinNT?
   Can someone conferm or deny this?

The current mod_perl-2 package we have I did test on a W2000
machine (and XP), with an ActivePerl 6xx build - it worked for
some simple things, but seems to run into problems with more
complicated stuff (for some definition of more complicated).  
The fact that you're not even able to start it suggests there may
be an incompatibility between your Apache version (or some other
library) and the one that the mod_perl-2 package was compiled
against, although the versions seemed to match.

But before you put in a lot of effort into resolving this, I'd
encourage considering an upgrade to ActivePerl 8xx. Upgrading is
a major step, but if the main concern is this issue with
mod_perl, then an upgrade will definitely help in general -
perl-5.8 has improved threading support over perl-5.6.1, among
other things, and mod_perl 2 seems to get caught up in some
issues with perl-5.6.1 that have been resolved in perl-5.8. A
major concern with upgrading though is the availability of ppm
packages - ActiveState's 8xx repository isn't as complete as
their 6xx one. They're aware of this problem, and are working on
an automated build system which hopefully will address this soon.

-- 
best regards,
randy

Re: MaxRequestsPerChild; which request am I?

[Brian Reichert]

On Thu, Apr 03, 2003 at 11:10:58PM -0800, Bill Moseley wrote:
 On Fri, 4 Apr 2003, Brian Reichert wrote:
 
  Dunno if someone has a good answer, or a suggestion of a better
  forum for this:
  
  Apache has a configuration directive: MaxRequestsPerChild
  
http://httpd.apache.org/docs/mod/core.html#maxrequestsperchild
  
  In messing with Apache 1.x, is there a way, via mod-perl, of a
  request knowing how many requests have been served by the current
  child?
 
 
 $request++;
 
 That's what I do in some handler, and then I log it along with the PID.

Eh?  I'm confused.  What is '$request' in that example?  If you
mean it's the request object, then that doesn't do what I expect.

This code:

  warn request is [.$r.]\n;

yields:

  request is [Apache::Request=SCALAR(0x862a9ec)]

 -- 
 Bill Moseley [EMAIL PROTECTED]

-- 
Brian 'you Bastard' Reichert[EMAIL PROTECTED]
37 Crystal Ave. #303Daytime number: (603) 434-6842
Derry NH 03038-1713 USA BSD admin/developer at large

Re: MaxRequestsPerChild; which request am I?

[Bill Moseley]

On Fri, 4 Apr 2003, Brian Reichert wrote:

   In messing with Apache 1.x, is there a way, via mod-perl, of a
   request knowing how many requests have been served by the current
   child?
  
  
  $request++;
  
  That's what I do in some handler, and then I log it along with the PID.
 
 Eh?  I'm confused.  What is '$request' in that example?  If you
 mean it's the request object, then that doesn't do what I expect.

No, it's a simple counter.  It's just a variable in some module that
counts requests.






-- 
Bill Moseley [EMAIL PROTECTED]

Re: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes

[Randy Kobes]

On Fri, 4 Apr 2003, Sebastian Breier wrote:

 Hi.
 
 I just upgraded Apache to 2.0.45 (from 2.0.44),
 and now most of my perl-generated sites crash.
 They worked perfectly before.
 
 Server is Apache 2.0.45 on W2000 + mod_perl-2 1.99_09-dev,
 as said in the subject.
 
 I just checked again with 2.0.44, everything works
 (nothing changed except Apache).
 
 One script still works with 2.0.45, but it has only a few subs
 that don't do anything.
 
 Logs always show some error message like these:
 
 [Fri Apr 04 15:49:29 2003] [notice] Parent: child process exited with 
 status 1073807364 -- Restarting.
 or
 [Fri Apr 04 15:46:53 2003] [notice] Parent: child process exited with 
 status 3221225477 -- Restarting.
 
 Any ideas? Do I need a recompile of mod_perl-2? (I hope
 somebody makes one, I can't)

From a later message I take it this is with ActivePerl 8xx
(perl-5.8.0)? If not, and you're using ActivePerl 6xx, then it
may be that you're running into a problem that others have also
seen with ActivePerl 6xx and mod_perl 2 on Win32, for which an
upgrade to 8xx would most likely help.

If this is with ActivePerl 8xx, though, then it may be that
there's an incompatibility between modules compiled against
Apache 2.0.44 (which the mod_perl ppm package on our site was
compiled against) and Apache 2.0.45. The Apache group says that,
starting with 2.0.42, they're working at maintaining
configuration and module interface compatibility, so in principle
upgrading from 2.0.44 to 2.0.45 shouldn't be a problem. But with
a combination of Win32 and the relative complexity of mod_perl 2,
this compatibility may not have survived  I've tried
compiling the current cvs mod_perl 2 sources against Apache
2.0.45, but have run into a problem (unrelated to the 2.0.45
upgrade) that hasn't yet been resolved. Given the security fixes
for Win32 present in 2.0.45, if you feel uneasy about reverting
to 2.0.44, I could make available a mod_perl 2 package based on
not-so-current cvs sources compiled against 2.0.45 until the
problem in the current cvs version is fixed.

-- 
best regards,
randy kobes

Re: MaxRequestsPerChild; which request am I?

[Matt]

 $request++;

 That's what I do in some handler, and then I log it along with the PID.
Eh?  I'm confused.  What is '$request' in that example?  If you
mean it's the request object, then that doesn't do what I expect.
This code:

  warn request is [.$r.]\n;

yields:

  request is [Apache::Request=SCALAR(0x862a9ec)]
I am pretty sure what he is proposing as a solution (something which I have 
also done):

Set a normal var to 0 (say in a PerlChildInitHandler)
Then in the PerlHandler increment the normal var
$phase = $r-current_callback;

if ($phase eq 'PerlChildInitHandler')
{
   $reqCtr = 0;
}
if ($phase eq 'PerlHandler')
{
   $reqCtr++;
}
Or, you could use a note and skip the global scalar.

I don't think mod_perl has direct access to the current count (at least not 
in mp1).

Matt

Re: MaxRequestsPerChild; which request am I?

[Brian Reichert]

On Fri, Apr 04, 2003 at 08:38:53AM -0800, Bill Moseley wrote:
 On Fri, 4 Apr 2003, Brian Reichert wrote:
  Eh?  I'm confused.  What is '$request' in that example?  If you
  mean it's the request object, then that doesn't do what I expect.
 
 No, it's a simple counter.  It's just a variable in some module that
 counts requests.

Ah!  you're maintaining your own counter; I see.

I was looking for this element of Apache's own bookkeeping to be
exposed; I suppose I should have been more specific.

So, not that Bill's solution is unusable to me, let me ask my
question a bit more specifically:

Deep in the guts of http_main.c of Apache's source, I see code like
this:

  void worker_main(void)
  {
  ...

  int total_jobs = 0;

  ...

   if (max_jobs_per_exe  (total_jobs  max_jobs_per_exe)) {
/* Reached MaxRequestsPerChild. Stop accepting new connections
 * and signal the parent to start a new child process.
 */
ap_start_restart(1);
break;
}

Is this 'total_jobs' exposed somehow via an Apache object?  Or do
I need to maintain my own counter, as per Bill's solution?
  
 -- 
 Bill Moseley [EMAIL PROTECTED]

-- 
Brian 'you Bastard' Reichert[EMAIL PROTECTED]
37 Crystal Ave. #303Daytime number: (603) 434-6842
Derry NH 03038-1713 USA BSD admin/developer at large

Re: MaxRequestsPerChild; which request am I?

[Perrin Harkins]

Brian Reichert wrote:
Is this 'total_jobs' exposed somehow via an Apache object?
The documentation for the Apache module doesn't say anything about it, 
so I think you have your answer.  We just use a global for this in 
Apache::SizeLimit.

- Perrin

Re: stopping concurrent logins

[Juha-Mikko Ahonen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday 03 April 2003 20:33, Perrin Harkins wrote:
 Of course you could also just totally prevent people from logging in
 again if there is already an active session for that user, but that
 will cause problems because your sessions will not get invalidated if
 a user shuts down his browser or crashes his machine.

We did just this on our secure server. My boss was worried our customers 
might share their login accounts (for which they had to pay), so we set 
up the login authentication so, that only one session could be logged 
in at any given time.

The sessions timed out in a couple of hours, so losing the cookie would 
not cause permanent loss of access. We later added a button to log out 
other sessions, if correct user name and password was given for an 
already open account. After which the user had to login again.

The user authentication information was stored into a cookie. The cookie 
was stored also on the server. Each time the user accessed the secure 
server, his cookie was verified against the one stored on the server 
(plus, of course, verifying that the cookie was valid and authorised to 
access whatever resource he was trying to access). If the cookie 
matched the one stored on the server, access was granted. If, however, 
the cookie did not match, the server immediately expired the user 
cookie and presented a login screen. If he was able to log in, the 
button to log out the other session would appear, but no cookie was 
sent to the user, meaning he would need to provide the authentication 
credentials again.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+jdRrWD8Ca88cV68RAh0CAKCJDGoh0hf864clmwzamz4gChmhsQCfZua1
fLXzhdGbdgzN5zd11LtSHeQ=
=2/M8
-END PGP SIGNATURE-

Re: stopping concurrent logins

[Robert Landrum]

On Fri, Apr 04, 2003 at 03:34:25PM +0200, Frank Maas wrote:
 You can set a session (see Apache::Session and related modules) that
 can use the uri as session-container as well (eg
 http://www.example.com/9o79876a98d7fa98d7/path/to/doc). The session
 part (9o79876a98d7fa98d7) can be stored in a database.
 
 Success.

Technically, that doesn't solve the problem either.  Since the session 
information is in the URL, there is nothing to stop the user from IM that URL
to their friend, who then has total access, without a cookie, just by using
the current users session.

I must not fully understand the taboo against using cookies.  It's rare that
an online application, e-commerce related or otherwise, works without cookies.
If you're doing anything more than browsing static data, you'll quickly become
fustrated at the lack of support for non-cookie-enabled browers.

Anytime web based authentication is used, people are going to need cookies.
Maintaining state and security within a stateless medium is almost impossible
without cookies, in my experience.

I've heard of, but never seen, authentication using java or flash that
maintains a persistent connection in the background using sockets to the
web server.  This basically registers the user's IP address with the
system, and all users with that IP are considered authenticated.  I'm sure more
complicated solutions exist.

Sorry I don't have a solution to your problem.  But perhaps the problem is
the requirement to not use cookies...  :)

Good luck,

Rob

 
 --Frank

-- 
Robert Landrum
Systems Programmer

Re: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes

[Sebastian Breier]

At 18:35 04.04.2003, Randy Kobes wrote:
If this is with ActivePerl 8xx, though, then it may be that
there's an incompatibility between modules compiled against
Apache 2.0.44 (which the mod_perl ppm package on our site was
compiled against) and Apache 2.0.45. The Apache group says that,
starting with 2.0.42, they're working at maintaining
configuration and module interface compatibility, so in principle
upgrading from 2.0.44 to 2.0.45 shouldn't be a problem. But with
a combination of Win32 and the relative complexity of mod_perl 2,
this compatibility may not have survived  I've tried
compiling the current cvs mod_perl 2 sources against Apache
2.0.45, but have run into a problem (unrelated to the 2.0.45
upgrade) that hasn't yet been resolved. Given the security fixes
for Win32 present in 2.0.45, if you feel uneasy about reverting
to 2.0.44, I could make available a mod_perl 2 package based on
not-so-current cvs sources compiled against 2.0.45 until the
problem in the current cvs version is fixed.
Yes, It's ActivePerl 5.8.0.805.

About the mod_perl-2 recompile: It's not necessary for me.
Thank You for the offer, but this machine is a private one anyway,
and I can stay on 2.0.44 until the fixed CVS is there and compiled.
I guess You'll drop a message here when that happens? :-)

Thank You,
Sebastian.
--
If You're European, do something for YOUR civil rights: http://www.stop1984.com
Stop software patents in the EU! http://swpat.ffii.org 

RE: stopping concurrent logins

[Frank Maas]

 On Fri, Apr 04, 2003 at 03:34:25PM +0200, Frank Maas wrote:
 You can set a session (see Apache::Session and related modules) that
 can use the uri as session-container as well (eg
 http://www.example.com/9o79876a98d7fa98d7/path/to/doc). The session
 part (9o79876a98d7fa98d7) can be stored in a database.
 
 Success.
 
 Technically, that doesn't solve the problem either.  Since the session
 information is in the URL, there is nothing to stop the user from IM
 that URL to their friend, who then has total access, without a
 cookie, just by using the current users session.
 
 I must not fully understand the taboo against using cookies. It's
 rare that an online application, e-commerce related or otherwise,
 works without cookies. If you're doing anything more than browsing
 static data, you'll quickly become fustrated at the lack of support
 for non-cookie-enabled browers. 

On the latter I totally agree. To avoid the session snatching you
describe, you can store IP addresses on your site in the database.
You won't solve proxyserver-problems with this though. So what about
the following approach:
* a user logs on and you issue a session, as part of the uri
* when the user requests another page, you fetch the session
  from the uri, check it against your database and (let's 
  assume it's correct) you allow access but while issueing
  a new session
If this works (and as some people consequently add 'untested') then
session snatching becomes a hell of a job. If one user logs in, and
the other copies the session and retrieves a page, the session 
changes, so the first user has to copy the new session again. Sounds
promising But to return to my first phrase: with cookies it's
much more simple.

--Frank

PS: What I never got though... how 'bout stealing cookies from 
someones system?

RE: [mp2.0] W2000, Apache 2.0.45, mod_perl-2 1.99_09-dev crashes

[Sebastian Breier]

At 18:14 04.04.2003, Melchior, Matthijs wrote:
Well, the problem does not occur at installation time, that was
without problem. It happens when Apache wants to load mod_perl.so,
then it dies with error The specified procedure could not be found.
Note, it talks about 'prodedure', not 'module'.  To me this
means that the loading of the module failed because the
dynamic linker [the unix name, dont know the windows term...]
cannot resolve a symbol in mod_perl.so or one of the referenced
libraries. Unfortunately, windows does not tell me the name of
the problematic symbol so I have no idea where to look!
How exactly do you install Apache and mod_perl-2?

My install/upgrade process is this:

- Install Apache via MSI file
- Open ActivePerl's PPM
- Add mod_perl-2 PPM repository ( 
http://theoryx5.uwinnipeg.ca/cgi-bin/ppmserver?urn:/PPMServer58 ActivePerl 
5.8 only)
- install mod_perl from that repository, the PPM package installation will 
place the mod_perl.so file in the correct Apache directory.

My first guess is that you are using a wrong version of mod_perl... maybe 
you are trying to use mod_perl-1 with Apache 2?
Or maybe just an outdated mod_perl-2 with Apache 2?
The way I described above works perfectly for 2.0.43 and 2.0.44...

Another thing might be the config file.
My current lines for mod_perl-2 in httpd.conf:
Loadmodule perl_module modules/mod_perl.so
(Then some handlers for my directories so .pl files get executed with mod_perl,
but these only matter when you can start Apache/mod_perl at all)
PerlSwitches -Mblib=C:\Apache2
PerlRequire C:/Apache2/conf/startup.pl
PerlModule Apache::Reload
PerlInitHandler Apache::Reload
Maybe some of the rather important settings for mod_perl-2 are wrong in 
your config...

I was thinking about boring details like versions of DLL's in
\winnt\system32 and places like that  If we can solve this
without resorting to that comparation, even better.
No idea about those, but Apache is probably away far enough from the OS to
not be dependent on Win32 System DLLs...
Bye,
Sebastian.
--
If You're European, do something for YOUR civil rights: http://www.stop1984.com
Stop software patents in the EU! http://swpat.ffii.org 

Re: stopping concurrent logins

[Andrew Moore]

On Fri, Apr 04, 2003 at 10:13:59PM +0200, Frank Maas wrote:
 On the latter I totally agree. To avoid the session snatching you
 describe, you can store IP addresses on your site in the database.
 You won't solve proxyserver-problems with this though. So what about
 the following approach:
   * a user logs on and you issue a session, as part of the uri
   * when the user requests another page, you fetch the session
 from the uri, check it against your database and (let's 
 assume it's correct) you allow access but while issueing
 a new session

Interesting idea. I assume that you're keeping the session key/ID
in the URL, right? Does it break if someone hits back (and goes
to a page that's full of URLs with on old session ID in them)
and then clicks on one of them?

-Andy

Apache::AuthTicket lookalike for DBM files

[Martin Langhoff]

I am looking for a mod_perl implementation of mod_auth_dbm that takes
cookies instead of HTTP-AUTH Basic. Or perl implementation of
mod_auth_cookie, perhaps (I think mod_auth_cookie does exactly that).
I was sure I would find it in CPAN, and, sure enough, AuthTicket and
others are there, offering far more than I was expecting... But I could
not find one that deals with NDBM files. A search for Apache::Auth* is
not returning likely candidates.
Unless there is a DBI/DBD driver that would allow using NDBM files with
AuthTicket? There doesn't seem to be any :(
I am tempted to add NDBM support to AuthTicket but I am 99.9% certain
that there _has_ to be a module providing the functionality I am
thinking of.
Just to clarify, I don't need the 'ticket' mechanism, just cookie-based
auth against DBM files, with the same options that mod_auth_dbm offers.
Oh, and lazyness is one of my virtues ;)
cheers,



martin
--

RE: stopping concurrent logins

[Frank Maas]

 On Fri, Apr 04, 2003 at 10:13:59PM +0200, Frank Maas wrote:
 On the latter I totally agree. To avoid the session snatching you
 describe, you can store IP addresses on your site in the database.
 You won't solve proxyserver-problems with this though. So what about
 the following approach: 
  * a user logs on and you issue a session, as part of the uri
  * when the user requests another page, you fetch the session
from the uri, check it against your database and (let's
assume it's correct) you allow access but while issueing
a new session
 
 Interesting idea. I assume that you're keeping the session key/ID
 in the URL, right? Does it break if someone hits back (and goes
 to a page that's full of URLs with on old session ID in them)
 and then clicks on one of them?

Yep. I think that the back-button is out of the question in such a
solution. Of course one could think of yet another scheme that 
makes it possible to use the back-button. But a more simple solution
is to create a back-link on the page.

--Frank

Convert Cookies--HTTP Request Headers?

[Kruse, Matt]

Title: Convert Cookies--HTTP Request Headers?





I have a unique need purely for testing purposes. I'm not very familiar (yet) with mod_perl handlers in Apache, so I've had a rough time getting anything going.

Here is my goal:


For every request to Apache:
 1. Parse the cookie coming in via the request header
 2. Pull out each value (ex: NAME=bob;TITLE=boss)
 3. Convert them to HTTP Request Headers
 4. Pass the request on to the requested resource (a script of some sort)


So, if I have a cookie like: NAME=bob;TITLE=boss
My program would then see the following headers in the request:
 HTTP_NAME=bob
 HTTP_TITLE=boss


This will help me simulate a Single-Sign-On situation where the authentication handler passes all authenticated user information to the resource via headers.

Can anyone help me by either:
 1. Giving an outline of what handlers I would want to use, and how I can write request headers with them
or
 2. Writing some sample code :)


NOTES:
 1. I'm running Apache 2.0 and mod_perl 2 right now, but I can bump it down if required
 2. I've already used mod_headers to simulate this, but unfortunately that isn't dynamic enough for testing, ie, I need to change httpd.conf and re-start the server to test different header scenarios.

Thanks!


Matt Kruse

RE: stopping concurrent logins

[Goehring, Chuck Mr., RCI - San Diego]

Robert,

When I was designing the security for a perl/cgi system I spent a lot of time on the 
cookie issue.  I don't have any problem myself with servers putting cookies on my 
machine.  The subject happened to come up with one of the guys that works on the LAN 
at a customer of ours.  He is violently against cookies.  He is a technical person and 
works on computers but has this extreme aversion to people tracking what he is 
doing.  I think it's more of a baseless fear of the unknown myself.

Anyway, upon further investigation into this, some of the docs I read indicated 
cookies aren't all that reliable and will get lost if there are too many of them or 
the data gets too large.  Apparently, the spec allows the browser to toss the data if 
it wants.

So, I ended up using hidden variables.  It is a bit of a chore, but I have never 
encountered an objection from a user or a session getting dropped because the data got 
lost.  It certainly avoids the potential controversy that may come up over cookies.

Chuck

-Original Message-
From: Robert Landrum [mailto:[EMAIL PROTECTED]
Sent: Friday, April 04, 2003 11:53 AM
To: [EMAIL PROTECTED]
Subject: Re: stopping concurrent logins


On Fri, Apr 04, 2003 at 03:34:25PM +0200, Frank Maas wrote:
 You can set a session (see Apache::Session and related modules) that
 can use the uri as session-container as well (eg
 http://www.example.com/9o79876a98d7fa98d7/path/to/doc). The session
 part (9o79876a98d7fa98d7) can be stored in a database.
 
 Success.

Technically, that doesn't solve the problem either.  Since the session 
information is in the URL, there is nothing to stop the user from IM that URL
to their friend, who then has total access, without a cookie, just by using
the current users session.

I must not fully understand the taboo against using cookies.  It's rare that
an online application, e-commerce related or otherwise, works without cookies.
If you're doing anything more than browsing static data, you'll quickly become
fustrated at the lack of support for non-cookie-enabled browers.

Anytime web based authentication is used, people are going to need cookies.
Maintaining state and security within a stateless medium is almost impossible
without cookies, in my experience.

I've heard of, but never seen, authentication using java or flash that
maintains a persistent connection in the background using sockets to the
web server.  This basically registers the user's IP address with the
system, and all users with that IP are considered authenticated.  I'm sure more
complicated solutions exist.

Sorry I don't have a solution to your problem.  But perhaps the problem is
the requirement to not use cookies...  :)

Good luck,

Rob

 
 --Frank

-- 
Robert Landrum
Systems Programmer

AuthDBI fix for MSWin32

[Reini Urban]

I'm tired of disabling IPC::SysV in AuthDBI.pm for every update.
Please check some fix like this in.
no strict in the child handlers cannot be evaluated at run-time but is 
needed for Win32. Better ways?

Tested with Randy Cobes mod_perl binary for Win32.
Active Perl 633,  v5.6.1 built for MSWin32-x86-multi-thread
PS: I'm not subscribed to this list.
--
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/
--- Apache-DBI-0.91/Changes~2003-02-17 14:02:27.0 +0100
+++ Apache-DBI-0.91/Changes 2003-04-02 11:16:24.0 +0200
@@ -1,5 +1,8 @@
 Revision history for ApacheDBI.
 
+0.91_01 April 2, 2003
+   - MSWin32 fix: disable IPC::SysV
+
 0.91February 17, 2003
 - Retagged and released the 0.90_02 beta as 0.91. No code
   changes.
--- Apache-DBI-0.91/AuthDBI.pm~ 2003-02-17 14:00:12.0 +0100
+++ Apache-DBI-0.91/AuthDBI.pm  2003-04-02 11:15:12.0 +0200
@@ -3,7 +3,10 @@
 use Apache ();
 use Apache::Constants qw( OK AUTH_REQUIRED FORBIDDEN DECLINED SERVER_ERROR );
 use DBI ();
-use IPC::SysV qw( IPC_CREAT IPC_RMID S_IRUSR S_IWUSR );
+if ($^O ne 'MSWin32') {
+  require IPC::SysV;
+  import IPC::SysV qw( IPC_CREAT IPC_RMID S_IRUSR S_IWUSR );
+}
 use strict;
 
 # $Id: AuthDBI.pm,v 1.3 2003/02/17 13:00:12 ask Exp $
@@ -644,6 +647,7 @@
 # Note: this handler runs in every child server, but not in the main server.
 
 sub childinit {
+no strict; # for $^O eq 'MSWin32' only
 my $prefix = $$ Apache::AuthDBI PerlChildInitHandler;
 # create (or re-use existing) semaphore set
 $SEMID = semget($SHMKEY, 1, IPC_CREAT|S_IRUSR|S_IWUSR);
@@ -685,6 +689,7 @@
 # Note: this handler runs in every child server, but not in the main server.
 
 sub childexit {
+no strict; # for $^O eq 'MSWin32' only
 my $prefix = $$ Apache::AuthDBI PerlChildExitHandler;
 # read Cache from shared memory, decrement child count and exit or write Cache to 
shared memory
 semop($SEMID, $obtain_lock) or print STDERR $prefix semop failed \n;

Apache::ASP Configuration

[Quan Mac]

Hi, I just installed mod_perl and Apache::ASP on my 
computer and I was wondering if you could tell me how to configure my Apache 
httpd.conf file to make ASP pages work. I tried adding in the lines from the 
website for configuration and then I restarted Apache. All I get is the html, 
but none of my ASP is working and Im just trying to get it to print out a 
message. Your help would be greatly appreciated.

BUG [in docs] mailing list subscription does not actually indicatelist post address

[Matthew Wickline]

http://perl.apache.org/maillist/email-etiquette.html
 Posting to the list is just sending a message to the
 address which you will be given after you subscribe.
The above should either be updated, or the welcome message should be 
updated. I've just subscribed to the digest version, and the welcome 
message didn't actually indicate the list post address. Assuming the 
usual conventions apply, I assume I'm sending to the correct address.

Someone new to mailing lists might not be able to guess correctly.

-matt
(who is soon unsubscribing. Thanks for your time :)

Re: Apache::ASP Configuration

[Josh Chamas]

Quan Mac wrote:
Hi, I just installed mod_perl and Apache::ASP on my computer and I was 
wondering if you could tell me how to configure my Apache httpd.conf 
file to make ASP pages work. I tried adding in the lines from the 
website for configuration and then I restarted Apache. All I get is the 
html, but none of my ASP is working and Im just trying to get it to 
print out a message. Your help would be greatly appreciated.
Please see:

  http://www.apache-asp.org/install.html#Quick%20Start

For more questions about Apache::ASP, please get on the mailing list
at [EMAIL PROTECTED]
Regards,

Josh

Josh Chamas, Founder   phone:925-552-0128
Chamas Enterprises Inc.http://www.chamas.com
NodeWorks Link Checkinghttp://www.nodeworks.com

[mp2] Content-Type not being set as expected

[Goehring, Chuck Mr., RCI - San Diego]

mp2 Guys,

I am getting xml (seemingly) instead of html 3.2 out of 
Apache2/ModPerl::Registry/CGI.pm. I'm setting content type in my code like this:
  use CGI qw/:standard :html3/;
  ...
  print header(-type='text/html'); 

Has some default changed or a switch I need to set.  Netscape 7.02 is barfing on this 
style of code.  MSIE 5.5 and NN 4.79 work fine with it.

I'm getting this:
?xml version=1.0 encoding=iso-8859-1?
!DOCTYPE html
PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN
 http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml; lang=en-US

I'm expecting this:
!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN
HTMLHEAD
...
Conf file:
  Location /perl
 SetHandler perl-script
 PerlResponseHandler ModPerl::Registry
 Options +ExecCGI
 PerlOptions +ParseHeaders
  /Location


Thanks in advance
Chuck

Re: Convert Cookies--HTTP Request Headers?

[Brian Reichert]

On Fri, Apr 04, 2003 at 04:10:03PM -0500, Kruse, Matt wrote:
 I have a unique need purely for testing purposes. I'm not very familiar
 (yet) with mod_perl handlers in Apache, so I've had a rough time getting
 anything going.
 Here is my goal:
 
 For every request to Apache:
   1. Parse the cookie coming in via the request header
   2. Pull out each value (ex: NAME=bob;TITLE=boss)
   3. Convert them to HTTP Request Headers

Ok, I'm confused: the cookies are already in the request header,
and you want to 'convert' them into a request header?

   4. Pass the request on to the requested resource (a script of some sort)
 
 So, if I have a cookie like: NAME=bob;TITLE=boss
 My program would then see the following headers in the request:
   HTTP_NAME=bob
   HTTP_TITLE=boss

If you're using an Apache handler, see Apache::Cookie for unpeeling
cookies.

If you're running a classic CGI program, see CGI::Cookie for unpeeling
cookies.

 This will help me simulate a Single-Sign-On situation where the
 authentication handler passes all authenticated user information to the
 resource via headers.

When you say 'HTTP request headers', did you really mean to say 'CGI
parameters', as the CGI module uses the term?

 Thanks!
 
 Matt Kruse

-- 
Brian 'you Bastard' Reichert[EMAIL PROTECTED]
37 Crystal Ave. #303Daytime number: (603) 434-6842
Derry NH 03038-1713 USA BSD admin/developer at large