[RFC] Apache::SessionManager

2002-08-02 Thread Enrico Sorcinelli 

Hi all,

I would like to propose a new Apache module before I send it off to
CPAN. The namespace I've chosen is Apache::SessionManager.

This module is a an Apache/mod_perl module and use Apache::Session to 
track user's sessions over HTTP request.
Simply Apache::SessionManager help me with session management.

Apache::SessionManager creates an object session (in Header parsing phase, 
but not obligatorily) and make it available to all other handlers 
transparently by putting in pnotes. Others handlers can retrieve session
directly from pnotes or by calling the simple function 
Apache::SessionManager::get_session($r)

After some search on CPAN I haven't found a mod_perl module that does 
the same thing (right?). 
The module is work in progress, of course, even if already I use it.

Some sample code in a mod_perl handler:

sub handler {
   # get session
   my $session = Apache::SessionManager::get_session($sr)
   
   # set a session value
   $$session{'key'} = $value;

   #read value session
   print "$$session{'key'}";

   # destroy a session
   Apache::SessionManager::destroy_session($sr)

   ...
}

For module installation, configuration and directives see:

perldoc Apache::SessionManager 

(also I've attached the pod below).

The module can be downloaded from here:

http://www.sestante.net/Apache-SessionManager-0.01.tar.gz
or
http://www.sorcinelli.it/Apache-SessionManager-0.01.tar.gz

Feel free to do whatever you want with the code... Comment and/or criticism
are welcome! I'll post to CPAN if anyone thinks it's worth it. 
Also suggestions about the namespace are welcome.

Thanks in advance,

- Enrico

--

NAME
Apache::SessionManager - simple mod_perl extension to manage sessions
over HTTP requests

SYNOPSIS
In httpd.conf:

   PerlModule Apache::SessionManager
   PerlHeaderParserHandler Apache::SessionManager
  
   
  SetHandler perl-script
  PerlHandler MyModule

  PerlSetVar SessionTracking On
  PerlSetVar SessionExpire 60
  PerlSetVar SessionName PERLSESSIONID
  PerlSetVar SessionDirectory "/tmp/apache_session_data"
  PerlSetVar SessionLockDirectory "/tmp/apache_session_data/lock"
 

   
  PerlSetVar SessionTracking Off
   

DESCRIPTION
Apache::SessionManager is a mod_perl module that help with session
management. This simple module create an object session and make it to
all other hadler by putting in pnotes. In a mod_perl handler you can
retrieve the session object directly from pnotes with predefined key
'SESSION_HANDLE':

   my $session = $r->pnotes('SESSION_HANDLE') ? $r->pnotes('SESSION_HANDLE')
: ();

In a CGI Apache::Registry script:

   my $r = Apache->request;
   my $session = $r->pnotes('SESSION_HANDLE') ? $r->pnotes('SESSION_HANDLE')
: (); 

then is possible to set a value in current session with:

   $$session{'key'} = $value;

or read value session with:

   print "$$session{'key'}";

The following functions also are provided (but not yet exported) by this
module:

Apache::SessionManager::get_session($sr)
Return an hash reference to current session object

Apache::SessionManager::destroy_session($sr)
Destroy the current session object

INSTALLATION
In order to install and use this package you will need Perl version
5.005 or better.

Prerequisites:

Apache::Request >= 0.33 (libapreq) is required 
Apache::Session >= 0.53 is required

Installation as usual:

   % perl Makefile.PL
   % make
   % make test
   % su
 Password: ***
   % make install
  
CONFIGURATION
To enable session tracking with this module you should modify a
configuration in httpd.conf by adding the following lines:

   PerlModule Apache::SessionManager
   PerlHeaderParserHandler Apache::SessionManager
   PerlSetVar SessionTracking On

This will activate the session manager over each request. Is posibible
to activate this module by location or directory:

   
  PerlHeaderParserHandler Apache::SessionManager
  PerlSetVar SessionTracking On
   

Also, is possible to deactivate session management per directory or per
location explicitly:

   
  PerlSetVar SessionTracking Off
   

DIRECTIVES
You can control the behavior of this module by configuring the following
variable with `PerlSetVar' directive in the httpd.conf.

`SessionTracking' On|Off
This single directive enable session tracking

   PerlSetVar SessionTracking On

The default value is `Off'

`SessionExpire' number
This single directive define global sessions expiration time.

   PerlSetVar SessionExpire 600

The default value is `900' seconds

`SessionName' string
This single directive define se

Re: [RFC] Apache::SessionManager

2002-08-02 Thread Matt Sergeant 


On Friday, August 2, 2002, at 05:40 PM, Enrico Sorcinelli wrote:

> The only way that I know to have a session framework is to use mod_perl
> application server like AxKit, HTML::Mason or Apache::ASP ...
>
Actually the AxKit one doesn't require AxKit - but it ships with an XSP 
taglib to access the values easily, that's all.

Matt.

Re: [RFC] Apache::SessionManager

2002-08-02 Thread Perrin Harkins 

Enrico Sorcinelli wrote:
>>Incidentally there is also 
>>a session manager module very similar to this in the Extropia modules.
> 
> 
> Sincerely, I don't know Extropia modules!

You can find some documentation on them here:
http://www.extropia.com/support/docs/adt/customization.html#Session_and_Session_Manager_Conf

They're not on CPAN, so I'm not surprised you didn't see them.

- Perrin

Re: [RFC] Apache::SessionManager

2002-08-02 Thread Enrico Sorcinelli 

On Fri, 02 Aug 2002 13:12:30 -0400
Perrin Harkins <[EMAIL PROTECTED]> wrote:

> Right, that's my point.  Your module has overlap with them in terms of 
> managing cookies and specifying locations, but adds the actual calls to 
> Apache::Session.  If I were doing something like this, I would probably 
> start with one of the Auth modules, which already do a good job of 
> handling things like cookie verification and even cookie-less sessions, 
> and add the actual Apache::Session glue.

The merge code solution is a possible solution that I'll consider 

> It might at least be worth stealing some code from the other modules, 
> like the ticket-based cookies idea, but of course you can do what you 
> like.  I think it's good to have a module like this, and if you put 
> yours out there people can contribute to it. 

Thanks, I'll do it as soon as possible...

> Incidentally there is also 
> a session manager module very similar to this in the Extropia modules.

Sincerely, I don't know Extropia modules!

> 
> > I've written Apache::SessionManager to be used _also_ in a mod_perl handlers
> > 
> > or in a CGI script over Registry.
> 
> The Apache::Auth modules also support that.

The Apache::Auth* family support authentication with cookies but there aren't
methods to store persistent data over HTTP requests (other than session key)

Apache::SessionManager only manage sessions and actually you can write
a custom PerlAuthenHandler to autohorize user accesses to certain resources

Bye

- Enrico 




=
Enrico Sorcinelli - Gruppo E-Comm 
Italia On Line S.p.a.
E-Mail: [EMAIL PROTECTED]

Re: [RFC] Apache::SessionManager

2002-08-02 Thread Perrin Harkins 

Enrico Sorcinelli wrote:
>>Some of the Apache::Auth* modules like Apache::AuthCookieURL are close, 
>>but I don't know of any that do the actual glue with Apache::Session. 
>>You might want to look at some of the existing modules and see if a 
>>merge of some kind is possible.
> 
> This modules haven't glue with Apache::Session

Right, that's my point.  Your module has overlap with them in terms of 
managing cookies and specifying locations, but adds the actual calls to 
Apache::Session.  If I were doing something like this, I would probably 
start with one of the Auth modules, which already do a good job of 
handling things like cookie verification and even cookie-less sessions, 
and add the actual Apache::Session glue.

It might at least be worth stealing some code from the other modules, 
like the ticket-based cookies idea, but of course you can do what you 
like.  I think it's good to have a module like this, and if you put 
yours out there people can contribute to it.  Incidentally there is also 
a session manager module very similar to this in the Extropia modules.

> I've written Apache::SessionManager to be used _also_ in a mod_perl handlers 
> or in a CGI script over Registry.

The Apache::Auth modules also support that.

- Perrin

Re: [RFC] Apache::SessionManager

2002-08-02 Thread Enrico Sorcinelli 

On Fri, 2 Aug 2002 16:31:04 +0100 (BST)
Matt Sergeant <[EMAIL PROTECTED]> wrote:

> There's the AxKit one, which does something pretty similar -
> AxKit::XSP::Session I think it's called.

It seems to be two modules that manage sessions over AxKit:

Apache::AxKit::Plugin::Session (flexible session management for AxKit)

and 

AxKit::XSP::Session

but both requires AxKit framework (and Apache::Session, of course)

The main reason for which I've written Apache::SessionManager is that 
only mod_perl is required (and Apache::Session, ;-))

I consider AxKit a powerful appserver (that I've used in the past)
but for some applications I only had need of simple mod_perl handlers

Thanks 

 - Enrico

=
Enrico Sorcinelli - Gruppo E-Comm 
Italia On Line S.p.a.
E-Mail: [EMAIL PROTECTED]

Re: [RFC] Apache::SessionManager

2002-08-02 Thread Enrico Sorcinelli 

On Fri, 02 Aug 2002 11:33:15 -0400
Perrin Harkins <[EMAIL PROTECTED]> wrote:

> Enrico Sorcinelli wrote:
> > Apache::SessionManager creates an object session (in Header parsing phase, 
> > but not obligatorily) and make it available to all other handlers 
> > transparently by putting in pnotes. Others handlers can retrieve session
> > directly from pnotes or by calling the simple function 
> > Apache::SessionManager::get_session($r)
> 
> It would be better if you don't instantiate the session until someone 
> asks for it the first time.  
>That will prevent unnecessary work.  Also, 
> when using Apache::Session with any locking module except NullLocker, 
> it's very important to have the session object exist for the shortest 
> possible time because it is locking out all other access to that session 
> while it exists.  (For this reason, it's also very important to make 
> sure that requests for images and other static objects don't instantiate 
> Apache::Session objects.)
> 

With Apache::SessionManager you can use tree distinct mechanism to prevent
this:
1) By activating the module only certain Location or Directory block:


PerlHeaderParserHandler Apache::SessionManager
PerlSetVar SessionTracking On


2) By setting 'SessionItemExclude' directive to bypass all request
   matching the regexp. For example with:
 
PerlSetVar SessionItemExclude "\.m.*$"

   all the request (URI) ending by ".mpeg", ".mpg" or ".mp3" will
   be declined (no session object are created)

3) By de-activating the module in Location or Directory block:


PerlSetVar SessionTracking Off



> Some of the Apache::Auth* modules like Apache::AuthCookieURL are close, 
> but I don't know of any that do the actual glue with Apache::Session. 
> You might want to look at some of the existing modules and see if a 
> merge of some kind is possible.
> 

This modules haven't glue with Apache::Session

The only way that I know to have a session framework is to use mod_perl 
application server like AxKit, HTML::Mason or Apache::ASP ...

I've written Apache::SessionManager to be used _also_ in a mod_perl handlers 
or in a CGI script over Registry.

Thanks for your interest

- Enrico





=
Enrico Sorcinelli - Gruppo E-Comm 
Italia On Line S.p.a.
Via Malagoli, 12 - 56124 Pisa
Tel. +39 050 944303
E-Mail: [EMAIL PROTECTED]

Re: [RFC] Apache::SessionManager

2002-08-02 Thread Enrico Sorcinelli 

On Fri, 02 Aug 2002 23:56:18 +0900
Tatsuhiko Miyagawa <[EMAIL PROTECTED]> wrote:

> Apache::SessionManager has once been discussed here.
> AFAIK it's not on CPAN though ..
> http://mathforum.org/epigone/modperl/clarcloigol
> 

Hi Tatsuhiko,
I'am in modperl list from beginnig of 2001.
The thread you've linked me is out of date (October 2000!).

Moreover in CPAN there is no module with the same name.
Simply I've not found it and I've chose this name!

Yes, there is a conflictual namespacing but the two modules make _two_
different things!

- Apache::SessionManager that I propose is a wrapper around the 
  Apache::Session persistence framework for session data.
  My module use pnotes()to pass arbitrarly data across handlers
  and has a expiration session mechanism.
  I make this for transparent session management while write my modules
  using Apache::Session.

- After some search I've found the other (I think) module on sourceforge but 
  last update is out of date (2000-10-29 16:00)!
  After some analisys I've seen that the other module hasn't support
  for persistence data and has own ID generation algorythm. There is no
  glue with Apache::Session.
  This store only session value into notes().

Bye

- Enrico



=
Enrico Sorcinelli - Gruppo E-Comm 
Italia On Line S.p.a.
Via Malagoli, 12 - 56124 Pisa
Tel. +39 050 944303
E-Mail: [EMAIL PROTECTED]

Re: [RFC] Apache::SessionManager

2002-08-02 Thread Perrin Harkins 

Enrico Sorcinelli wrote:
> Apache::SessionManager creates an object session (in Header parsing phase, 
> but not obligatorily) and make it available to all other handlers 
> transparently by putting in pnotes. Others handlers can retrieve session
> directly from pnotes or by calling the simple function 
> Apache::SessionManager::get_session($r)

It would be better if you don't instantiate the session until someone 
asks for it the first time.  That will prevent unnecessary work.  Also, 
when using Apache::Session with any locking module except NullLocker, 
it's very important to have the session object exist for the shortest 
possible time because it is locking out all other access to that session 
while it exists.  (For this reason, it's also very important to make 
sure that requests for images and other static objects don't instantiate 
Apache::Session objects.)

> After some search on CPAN I haven't found a mod_perl module that does 
> the same thing (right?).

Some of the Apache::Auth* modules like Apache::AuthCookieURL are close, 
but I don't know of any that do the actual glue with Apache::Session. 
You might want to look at some of the existing modules and see if a 
merge of some kind is possible.

- Perrin

Re: [RFC] Apache::SessionManager

2002-08-02 Thread Matt Sergeant 

There's the AxKit one, which does something pretty similar -
AxKit::XSP::Session I think it's called.

On Fri, 2 Aug 2002, Enrico Sorcinelli wrote:

> Hi all,
>
> I would like to propose a new Apache module before I send it off to
> CPAN. The namespace I've chosen is Apache::SessionManager.
>
> This module is a an Apache/mod_perl module and use Apache::Session to
> track user's sessions over HTTP request.
> Simply Apache::SessionManager help me with session management.
>
> Apache::SessionManager creates an object session (in Header parsing phase,
> but not obligatorily) and make it available to all other handlers
> transparently by putting in pnotes. Others handlers can retrieve session
> directly from pnotes or by calling the simple function
> Apache::SessionManager::get_session($r)
>
> After some search on CPAN I haven't found a mod_perl module that does
> the same thing (right?).
> The module is work in progress, of course, even if already I use it.

-- 

<:->Get a smart net

Re: [RFC] Apache::SessionManager

2002-08-02 Thread Tatsuhiko Miyagawa 

Apache::SessionManager has once been discussed here.
AFAIK it's not on CPAN though ..
http://mathforum.org/epigone/modperl/clarcloigol

At Fri, 2 Aug 2002 16:59:43 +0200,
Enrico Sorcinelli wrote:
> 
> After some search on CPAN I haven't found a mod_perl module that does 
> the same thing (right?). 
> The module is work in progress, of course, even if already I use it.

-- 
Tatsuhiko Miyagawa <[EMAIL PROTECTED]>

[RFC] Apache::SessionManager

2002-08-02 Thread Enrico Sorcinelli 

Hi all,

I would like to propose a new Apache module before I send it off to
CPAN. The namespace I've chosen is Apache::SessionManager.

This module is a an Apache/mod_perl module and use Apache::Session to 
track user's sessions over HTTP request.
Simply Apache::SessionManager help me with session management.

Apache::SessionManager creates an object session (in Header parsing phase, 
but not obligatorily) and make it available to all other handlers 
transparently by putting in pnotes. Others handlers can retrieve session
directly from pnotes or by calling the simple function 
Apache::SessionManager::get_session($r)

After some search on CPAN I haven't found a mod_perl module that does 
the same thing (right?). 
The module is work in progress, of course, even if already I use it.

Some sample code in a mod_perl handler:

sub handler {
   # get session
   my $session = Apache::SessionManager::get_session($sr)
   
   # set a session value
   $$session{'key'} = $value;

   #read value session
   print "$$session{'key'}";

   # destroy a session
   Apache::SessionManager::destroy_session($sr)

   ...
}

For module installation, configuration and directives see:

perldoc Apache::SessionManager 

(also I've attached the pod below).

The module can be downloaded from here:

http://www.sestante.net/Apache-SessionManager-0.01.tar.gz
or
http://www.sorcinelli.it/Apache-SessionManager-0.01.tar.gz

Feel free to do whatever you want with the code... Comment and/or criticism
are welcome! I'll post to CPAN if anyone thinks it's worth it. 
Also suggestions about the namespace are welcome.

Thanks in advance,

- Enrico

--

NAME
Apache::SessionManager - simple mod_perl extension to manage sessions
over HTTP requests

SYNOPSIS
In httpd.conf:

   PerlModule Apache::SessionManager
   PerlHeaderParserHandler Apache::SessionManager
  
   
  SetHandler perl-script
  PerlHandler MyModule

  PerlSetVar SessionTracking On
  PerlSetVar SessionExpire 60
  PerlSetVar SessionName PERLSESSIONID
  PerlSetVar SessionDirectory "/tmp/apache_session_data"
  PerlSetVar SessionLockDirectory "/tmp/apache_session_data/lock"
 

   
  PerlSetVar SessionTracking Off
   

DESCRIPTION
Apache::SessionManager is a mod_perl module that help with session
management. This simple module create an object session and make it to
all other hadler by putting in pnotes. In a mod_perl handler you can
retrieve the session object directly from pnotes with predefined key
'SESSION_HANDLE':

   my $session = $r->pnotes('SESSION_HANDLE') ? $r->pnotes('SESSION_HANDLE')
: ();

In a CGI Apache::Registry script:

   my $r = Apache->request;
   my $session = $r->pnotes('SESSION_HANDLE') ? $r->pnotes('SESSION_HANDLE')
: (); 

then is possible to set a value in current session with:

   $$session{'key'} = $value;

or read value session with:

   print "$$session{'key'}";

The following functions also are provided (but not yet exported) by this
module:

Apache::SessionManager::get_session($sr)
Return an hash reference to current session object

Apache::SessionManager::destroy_session($sr)
Destroy the current session object

INSTALLATION
In order to install and use this package you will need Perl version
5.005 or better.

Prerequisites:

Apache::Request >= 0.33 (libapreq) is required 
Apache::Session >= 0.53 is required

Installation as usual:

   % perl Makefile.PL
   % make
   % make test
   % su
 Password: ***
   % make install
  
CONFIGURATION
To enable session tracking with this module you should modify a
configuration in httpd.conf by adding the following lines:

   PerlModule Apache::SessionManager
   PerlHeaderParserHandler Apache::SessionManager
   PerlSetVar SessionTracking On

This will activate the session manager over each request. Is posibible
to activate this module by location or directory:

   
  PerlHeaderParserHandler Apache::SessionManager
  PerlSetVar SessionTracking On
   

Also, is possible to deactivate session management per directory or per
location explicitly:

   
  PerlSetVar SessionTracking Off
   

DIRECTIVES
You can control the behavior of this module by configuring the following
variable with `PerlSetVar' directive in the httpd.conf.

`SessionTracking' On|Off
This single directive enable session tracking

   PerlSetVar SessionTracking On

The default value is `Off'

`SessionExpire' number
This single directive define global sessions expiration time.

   PerlSetVar SessionExpire 600

The default value is `900' seconds

`SessionName' string
This single directive define se