Changing browser URL based on condition

[Jerry Pereira]

Hi All,

I would like to know if there is a way to change the URL displayed on
browser without using Redirect option. The URL visible on client browser
must be based on some condition that is evaluated in my mod_perl handler.

For example -

1. User types the URL - www.example.com, this will display the login page.
2. Once the user enters the credentials and hits submit, the request is
posted to www.example.com/login action.
3. If the credentials entered by the user is valid then i would like to show
the home page..uri
4. I am able to show the homw page, but the URL does not change to
www.example.com/home, instead it remains the same (i.e.
www.example.com/login). I am using Template toolkit to render my pages. I
tried $req->url('/home'), but that does not change the browser URI.

Any help will be appreciated.


Thanks,
Jerry

Re: Changing browser URL based on condition

[Ronald J Kimball]

On Mon, Jul 11, 2011 at 11:48:09AM -0700, Jerry Pereira wrote:

> I would like to know if there is a way to change the URL displayed on
> browser without using Redirect option. The URL visible on client browser
> must be based on some condition that is evaluated in my mod_perl handler.

Imagine if a web page could cause the browser to display any URL it wanted,
rather than the URL of the page the user is actually viewing...  That would
be a huge security hole for spoofing of web sites!

So, why don't you want to do a redirect, exactly?

Ronald

RE: Changing browser URL based on condition

[Szekeres, Edward]

If you are looking to do this for "cosmetic reasons", I do this be simply using 
frame sets and doing redirects in the child frame.  The URL displayed in the 
location bar will always be constant for the parent frame.  I don't think there 
is any way to do this at the core level or it would be a spoofers windfall.   
The browser will always have the actual location in the info panel.

From: Jerry Pereira [mailto:online.je...@gmail.com]
Sent: Monday, July 11, 2011 2:48 PM
To: modperl@perl.apache.org
Subject: Changing browser URL based on condition


Hi All,

I would like to know if there is a way to change the URL displayed on
browser without using Redirect option. The URL visible on client browser
must be based on some condition that is evaluated in my mod_perl handler.

For example -

1. User types the URL - www.example.com<http://www.example.com/>, this will 
display the login page.
2. Once the user enters the credentials and hits submit, the request is
posted to www.example.com/login<http://www.example.com/login> action.
3. If the credentials entered by the user is valid then i would like to show
the home page..uri
4. I am able to show the homw page, but the URL does not change to
www.example.com/home<http://www.example.com/home>, instead it remains the same 
(i.e.
www.example.com/login<http://www.example.com/login>). I am using Template 
toolkit to render my pages. I
tried $req->url('/home'), but that does not change the browser URI.

Any help will be appreciated.

Thanks,
Jerry

Re: Changing browser URL based on condition

[Octavian Rasnita]

From: "Jerry Pereira" 
> Hi All,
> 
> I would like to know if there is a way to change the URL displayed on
> browser without using Redirect option. 

Nope, not possible.

You need to do that redirection somehow.

What the user sees in the address bar is the URL accessed by the browser. If 
the browser is not told to access a certain URL, how can that URL appear in the 
address bar?

Why don't you want to do that redirection?

It is pretty common (and recommended) to do a redirect after POST because in 
that case the users won't need to meet that ugly warning window that appear if 
the user does a page refresh after the POST.

Octavian

Re: Changing browser URL based on condition

[Jerry Pereira]

Hi Edward,

I have the following design:

A single PerlResponseHandler for all requests. This handler based on the
path decides the action to be taken

For example, if the user submits to www.example.com/login, then the handler
delegates the request to authentication module, which will then either
display the home page (throug home page template) or login page again, based
on the success/failure of authentication mechanism. Since i am rendering the
page via template, i am able to generate the content of home page which i
then send back to the client, but the URL on the browser remails the same
(i.e. www.example.com/login), which is not true. Any suggestions to handle
this scenario will be great.

Thanks,
Jerry

On Mon, Jul 11, 2011 at 12:03 PM, Szekeres, Edward <
edward.szeke...@perkinelmer.com> wrote:

>  If you are looking to do this for “cosmetic reasons”, I do this be simply
> using frame sets and doing redirects in the child frame.  The URL displayed
> in the location bar will always be constant for the parent frame.  I don’t
> think there is any way to do this at the core level or it would be a
> spoofers windfall.   The browser will always have the actual location in the
> info panel.
>
> ** **
>
> *From:* Jerry Pereira [mailto:online.je...@gmail.com]
> *Sent:* Monday, July 11, 2011 2:48 PM
> *To:* modperl@perl.apache.org
> *Subject:* Changing browser URL based on condition
>
> ** **
>
> Hi All,
>
> I would like to know if there is a way to change the URL displayed on
> browser without using Redirect option. The URL visible on client browser
> must be based on some condition that is evaluated in my mod_perl handler.*
> ***
>
> For example -
>
> 1. User types the URL - www.example.com, this will display the login page.
> 2. Once the user enters the credentials and hits submit, the request is
> posted to www.example.com/login action.
> 3. If the credentials entered by the user is valid then i would like to
> show
> the home page..uri
> 4. I am able to show the homw page, but the URL does not change to
> www.example.com/home, instead it remains the same (i.e.
> www.example.com/login). I am using Template toolkit to render my pages. I
> tried $req->url('/home'), but that does not change the browser URI.
>
> Any help will be appreciated.
>
>
> Thanks,
> Jerry
>



-- 
Your clothes may be the latest in style but you aint completely dressed
until you wear a smile!
Keep smiling : )

Re: Changing browser URL based on condition

[Michael Peters]

On 07/11/2011 03:14 PM, Jerry Pereira wrote:

Any suggestions to handle this scenario will be great.


As others have noted, there isn't a way to do this. If it's a 
requirement of your application then the only way to handle it is to do 
redirection. And as others have pointed out it's a good idea to do a 
redirect after a POST anyway since it prevents other problems.


--
Michael Peters
Plus Three, LP

Re: Changing browser URL based on condition

[Douglas Sims]

Much better to go with a more RESTful approach - the URL is the identifier
for the page and you don't want that identifier to represent the wrong page,
e.g. if example.com/login sometimes returns the home page and sometimes
returns some other page (assuming you can login from and return to multiple
pages.)

Make it so that your home page (or any page) have a login form (or link
which expands to a login form) which POSTs to the login page (or to think of
it in a RESTful way, PUT to a "sessions" URL, thus defining the idea of
"create a new session" - except that browser forms have problems with PUT).
 Then from the login page do a redirect to whatever was the referer.



On Mon, Jul 11, 2011 at 12:14 PM, Jerry Pereira wrote:

> Hi Edward,
>
> I have the following design:
>
> A single PerlResponseHandler for all requests. This handler based on the
> path decides the action to be taken
>
> For example, if the user submits to www.example.com/login, then the
> handler delegates the request to authentication module, which will then
> either display the home page (throug home page template) or login page
> again, based on the success/failure of authentication mechanism. Since i am
> rendering the page via template, i am able to generate the content of home
> page which i then send back to the client, but the URL on the browser
> remails the same (i.e. www.example.com/login), which is not true. Any
> suggestions to handle this scenario will be great.
>
> Thanks,
> Jerry
>
> On Mon, Jul 11, 2011 at 12:03 PM, Szekeres, Edward <
> edward.szeke...@perkinelmer.com> wrote:
>
>>  If you are looking to do this for “cosmetic reasons”, I do this be
>> simply using frame sets and doing redirects in the child frame.  The URL
>> displayed in the location bar will always be constant for the parent frame.
>> I don’t think there is any way to do this at the core level or it would be a
>> spoofers windfall.   The browser will always have the actual location in the
>> info panel.
>>
>> ** **
>>
>> *From:* Jerry Pereira [mailto:online.je...@gmail.com]
>> *Sent:* Monday, July 11, 2011 2:48 PM
>> *To:* modperl@perl.apache.org
>> *Subject:* Changing browser URL based on condition
>>
>> ** **
>>
>> Hi All,
>>
>> I would like to know if there is a way to change the URL displayed on
>> browser without using Redirect option. The URL visible on client browser
>> must be based on some condition that is evaluated in my mod_perl handler.
>> 
>>
>> For example -
>>
>> 1. User types the URL - www.example.com, this will display the login
>> page.
>> 2. Once the user enters the credentials and hits submit, the request is
>> posted to www.example.com/login action.
>> 3. If the credentials entered by the user is valid then i would like to
>> show
>> the home page..uri
>> 4. I am able to show the homw page, but the URL does not change to
>> www.example.com/home, instead it remains the same (i.e.
>> www.example.com/login). I am using Template toolkit to render my pages. I
>> tried $req->url('/home'), but that does not change the browser URI.
>>
>> Any help will be appreciated.
>>
>>
>> Thanks,
>> Jerry
>>
>
>
>
> --
> Your clothes may be the latest in style but you aint completely dressed
> until you wear a smile!
> Keep smiling : )
>

Re: Changing browser URL based on condition

[Octavian Rasnita]

From: "Jerry Pereira" 

Hi Edward,

I have the following design:

A single PerlResponseHandler for all requests. This handler based on the
path decides the action to be taken

For example, if the user submits to www.example.com/login, then the handler
delegates the request to authentication module, which will then either
display the home page (throug home page template) or login page again, based
on the success/failure of authentication mechanism. 



Instead of displaying those pages, why can't the authentication module do a 
redirect to the handler that display the wanted page?


Octavian

Re: Changing browser URL based on condition

[MK]

On Mon, 11 Jul 2011 11:48:09 -0700
Jerry Pereira  wrote:
> 1. User types the URL - www.example.com, this will display the login
> page.
> 2. Once the user enters the credentials and hits submit, the request
> is posted to www.example.com/login action.
> 3. If the credentials entered by the user is valid then i would like
> to show the home page..uri
> 4. I am able to show the homw page, but the URL does not change to
> www.example.com/home, instead it remains the same (i.e.
> www.example.com/login). 

One important reason to do something like that is because you do not
want the user to bookmark or otherwise pass on an url with completely
ambiguous content -- /login should refer to the login page, /home should
refer to the home page, they are two different things.  Having /login
refer to both is no good. So I think your desire is justified.

IMO, this is best handled client-side: you return your login data via
an AJAX call.  If the login succeeds, the client loads /home.  If the
login has failed, the client displays a message to that effect.   You
need to prevent spoofed access to /home, but of course you have to do
that anyway (via cookies or whatever method you are already using).

-- 
"Enthusiasm is not the enemy of the intellect." (said of Irving Howe)
"The angel of history[...]is turned toward the past." (Walter Benjamin)

Re: Changing browser URL based on condition

[Brad Van Sickle]

Agree with the consensus.  The URI should be descriptive of the 
function, so any requests to /login should be from users who are 
attempting to... login.  The home page should be housed under a separate 
URL (/home for example)


After the user has authenticated, the login module should redirect to 
the /home URI.  Any links to the home page from within the application 
should likewise refer to /home.   You should have security in place to 
redirect any unauthenticated users to /login before requests for /home 
(or any other part of your application) are processed.


If you for some reason simply MUST keep referring people to /login when 
they are expecting to see the home page, put code in your login module 
to check for authenticated users and redirect them to /home before 
displaying the login page.  If the user doesn't have a session, then go 
ahead and display the login form.



On 11-07-11 03:14 PM, Jerry Pereira wrote:

Hi Edward,
I have the following design:
A single PerlResponseHandler for all requests. This handler based on 
the path decides the action to be taken
For example, if the user submits to www.example.com/login 
<http://www.example.com/login>, then the handler delegates the request 
to authentication module, which will then either display the home page 
(throug home page template) or login page again, based on the 
success/failure of authentication mechanism. Since i am rendering the 
page via template, i am able to generate the content of home page 
which i then send back to the client, but the URL on the browser 
remails the same (i.e. www.example.com/login 
<http://www.example.com/login>), which is not true. Any suggestions to 
handle this scenario will be great.

Thanks,
Jerry

On Mon, Jul 11, 2011 at 12:03 PM, Szekeres, Edward 
<mailto:edward.szeke...@perkinelmer.com>> wrote:


If you are looking to do this for “cosmetic reasons”, I do this be
simply using frame sets and doing redirects in the child frame. 
The URL displayed in the location bar will always be constant for

the parent frame.  I don’t think there is any way to do this at
the core level or it would be a spoofers windfall.   The browser
will always have the actual location in the info panel.

*From:*Jerry Pereira [mailto:online.je...@gmail.com
<mailto:online.je...@gmail.com>]
*Sent:* Monday, July 11, 2011 2:48 PM
*To:* modperl@perl.apache.org <mailto:modperl@perl.apache.org>
    *Subject:* Changing browser URL based on condition

Hi All,

I would like to know if there is a way to change the URL displayed on
browser without using Redirect option. The URL visible on client
browser
must be based on some condition that is evaluated in my mod_perl
handler.

For example -

1. User types the URL - www.example.com <http://www.example.com/>,
this will display the login page.
2. Once the user enters the credentials and hits submit, the
request is
posted to www.example.com/login <http://www.example.com/login> action.
3. If the credentials entered by the user is valid then i would
like to show
the home page..uri
4. I am able to show the homw page, but the URL does not change to
www.example.com/home <http://www.example.com/home>, instead it
remains the same (i.e.
www.example.com/login <http://www.example.com/login>). I am using
Template toolkit to render my pages. I
tried $req->url('/home'), but that does not change the browser URI.

Any help will be appreciated.


Thanks,
Jerry




--
Your clothes may be the latest in style but you aint completely 
dressed until you wear a smile!

Keep smiling : )

RE: Changing browser URL based on condition

[Szekeres, Edward]

It seems to be just an attempt to do what is already done in 
Apache2::AuthCookie (CPAN), which encapsulates a server side authentication.


-Original Message-
From: MK [mailto:m...@cognitivedissonance.ca] 
Sent: Monday, July 11, 2011 3:37 PM
To: modperl@perl.apache.org
Subject: Re: Changing browser URL based on condition

On Mon, 11 Jul 2011 11:48:09 -0700
Jerry Pereira  wrote:
> 1. User types the URL - www.example.com, this will display the login
> page.
> 2. Once the user enters the credentials and hits submit, the request
> is posted to www.example.com/login action.
> 3. If the credentials entered by the user is valid then i would like
> to show the home page..uri
> 4. I am able to show the homw page, but the URL does not change to
> www.example.com/home, instead it remains the same (i.e.
> www.example.com/login). 

One important reason to do something like that is because you do not
want the user to bookmark or otherwise pass on an url with completely
ambiguous content -- /login should refer to the login page, /home should
refer to the home page, they are two different things.  Having /login
refer to both is no good. So I think your desire is justified.

IMO, this is best handled client-side: you return your login data via
an AJAX call.  If the login succeeds, the client loads /home.  If the
login has failed, the client displays a message to that effect.   You
need to prevent spoofed access to /home, but of course you have to do
that anyway (via cookies or whatever method you are already using).

-- 
"Enthusiasm is not the enemy of the intellect." (said of Irving Howe)
"The angel of history[...]is turned toward the past." (Walter Benjamin)

Re: Changing browser URL based on condition

[André Warnier]

Szekeres, Edward wrote:

It seems to be just an attempt to do what is already done in 
Apache2::AuthCookie (CPAN), which encapsulates a server side authentication.



+1
Exactly.
And I would add that before you start trying to implement you own authentication logic, 
you should really think twice.  HTTP authentication is a lot more messy than what you 
would at first think, and you should first have a look at some existing CPAN modules like 
the one mentioned above, and browse the code to understand what they are doing and why. Or 
just use them, they work.



Just one aspect : if the URL from which the browser "thinks" the current page is coming, 
is not the one from which the page is really coming, then it also means that any 
/relative/ link inside your pages is not going to work as you expect it to.

Re: Changing browser URL based on condition

[Jerry Pereira]

Thanks Guys!!! I will go ahead with Redirect approach. I was more interested
in building a generic framework for my application that would handle such
scenarios (login was just one of them).

On Mon, Jul 11, 2011 at 12:42 PM, Szekeres, Edward <
edward.szeke...@perkinelmer.com> wrote:

> It seems to be just an attempt to do what is already done in
> Apache2::AuthCookie (CPAN), which encapsulates a server side authentication.
>
>
> -Original Message-
> From: MK [mailto:m...@cognitivedissonance.ca]
> Sent: Monday, July 11, 2011 3:37 PM
> To: modperl@perl.apache.org
> Subject: Re: Changing browser URL based on condition
>
> On Mon, 11 Jul 2011 11:48:09 -0700
> Jerry Pereira  wrote:
> > 1. User types the URL - www.example.com, this will display the login
> > page.
> > 2. Once the user enters the credentials and hits submit, the request
> > is posted to www.example.com/login action.
> > 3. If the credentials entered by the user is valid then i would like
> > to show the home page..uri
> > 4. I am able to show the homw page, but the URL does not change to
> > www.example.com/home, instead it remains the same (i.e.
> > www.example.com/login).
>
> One important reason to do something like that is because you do not
> want the user to bookmark or otherwise pass on an url with completely
> ambiguous content -- /login should refer to the login page, /home should
> refer to the home page, they are two different things.  Having /login
> refer to both is no good. So I think your desire is justified.
>
> IMO, this is best handled client-side: you return your login data via
> an AJAX call.  If the login succeeds, the client loads /home.  If the
> login has failed, the client displays a message to that effect.   You
> need to prevent spoofed access to /home, but of course you have to do
> that anyway (via cookies or whatever method you are already using).
>
> --
> "Enthusiasm is not the enemy of the intellect." (said of Irving Howe)
> "The angel of history[...]is turned toward the past." (Walter Benjamin)
>
>


-- 
Your clothes may be the latest in style but you aint completely dressed
until you wear a smile!
Keep smiling : )

RE: Changing browser URL based on condition

[James B. Muir]

I think you need to do a redirect. From within your mod_perl handler try 
something like this:

$r->content_type("text/plain");

$r->headers_out->set(Location=>$url);

return Apache2::Const::HTTP_TEMPORARY_REDIRECT;


From: Jerry Pereira [mailto:online.je...@gmail.com]
Sent: Monday, July 11, 2011 2:48 PM
To: modperl@perl.apache.org
Subject: Changing browser URL based on condition


Hi All,

I would like to know if there is a way to change the URL displayed on
browser without using Redirect option. The URL visible on client browser
must be based on some condition that is evaluated in my mod_perl handler.

For example -

1. User types the URL - www.example.com<http://www.example.com/>, this will 
display the login page.
2. Once the user enters the credentials and hits submit, the request is
posted to www.example.com/login<http://www.example.com/login> action.
3. If the credentials entered by the user is valid then i would like to show
the home page..uri
4. I am able to show the homw page, but the URL does not change to
www.example.com/home<http://www.example.com/home>, instead it remains the same 
(i.e.
www.example.com/login<http://www.example.com/login>). I am using Template 
toolkit to render my pages. I
tried $req->url('/home'), but that does not change the browser URI.

Any help will be appreciated.

Thanks,
Jerry

IMPORTANT NOTICE REGARDING THIS ELECTRONIC MESSAGE:

This message is intended for the use of the person to whom it is addressed and 
may contain information that is privileged, confidential, and protected from 
disclosure under applicable law. If you are not the intended recipient, your 
use of this message for any purpose is strictly prohibited. If you have 
received this communication in error, please delete the message and notify the 
sender so that we may correct our records.

Re: Changing browser URL based on condition

[Octavian Rasnita]

From: Jerry Pereira 

  Thanks Guys!!! I will go ahead with Redirect approach. I was more interested 
in building a generic framework for my application that would handle such 
scenarios (login was just one of them). 



  Then, as somebody suggested, start using Catalyst framework. It will handle 
the authentication/authorization very easy, and you will be able to continue to 
use your app with mod_perl if you want that.
  And of course, you will have many other good features in it.

  Octavian

Re: Changing browser URL based on condition

[Mårten Svantesson]

2011-07-11 20:48, Jerry Pereira wrote:

Hi All,

I would like to know if there is a way to change the URL displayed on
browser without using Redirect option. The URL visible on client browser
must be based on some condition that is evaluated in my mod_perl handler.

For example -

1. User types the URL - www.example.com , this will 
display the login page.
2. Once the user enters the credentials and hits submit, the request is
posted to www.example.com/login  action.
3. If the credentials entered by the user is valid then i would like to show
the home page..uri
4. I am able to show the homw page, but the URL does not change to
www.example.com/home , instead it remains the same 
(i.e.
www.example.com/login ). I am using Template 
toolkit to render my pages. I
tried $req->url('/home'), but that does not change the browser URI.

Any help will be appreciated.


Telling the browser to fudge the URL is a client side thing. There is support 
for this in HTML5, with varying support in different browsers.

One starting point could be this:
http://stackoverflow.com/questions/4015613/good-tutorial-for-using-html5-history-api-pushstate


--
  Mårten Svantesson
  Senior Developer
  Travelocity Nordic
  +46 (0)8 505 787 23

Re: Changing browser URL based on condition

[Randolf Richardson]

[sNip]
> Telling the browser to fudge the URL is a client side thing. There is support 
> for this in HTML5, with varying support in different browsers.
[sNip]

I really hope the hostname portion is excluded from this; if not, 
then the world will be hit by a whole new set of scams.  =(

Do you happen to know if the HTML5 standards limit this?

Randolf Richardson - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
http://www.inter-corporate.com

Authentication logic [was: Changing browser URL based on condition]

[Vincent Veyron]

Hi list,

In a recent thread, this exchange took place :

Le lundi 11 juillet 2011 à 21:54 +0200, André Warnier a écrit :

> Szekeres, Edward wrote:
> > It seems to be just an attempt to do what is already done in 
> > Apache2::AuthCookie (CPAN), which encapsulates a server side authentication.
> > 
> > 
> +1
> Exactly.
> And I would add that before you start trying to implement you own 
> authentication logic, 
> you should really think twice.  HTTP authentication is a lot more messy than 
> what you 
> would at first think, and you should first have a look at some existing CPAN 
> modules like 
> the one mentioned above, and browse the code to understand what they are 
> doing and why. Or 
> just use them, they work.
> 

I've been meaning to ask a related question to the list for a while. My
logic for session authentication is thus:

Login is handled by login.pm which checks username/password pair against
database.

if ( valid pair ) { set session_id and time_to_live; set
cookie=session_id; store session_id and some parameters in a file via
Storable.pm; redirect to Home page } else { serve login again }

For all requests except login :

1 - Headerparser retrieves the session_id via the cookie, and reads the
session file. 
If ( session_id is unknown or time_to_live exceeded ) then { serve
login } else { serve requested page }

2 - perlhandler generates content

3 - Filter processes content and resets time_to_live of session, stores
it back in file

The relevant modules are visible here :
login :  http://vincentveyron.com/tmp/login.pm
headerparser : http://vincentveyron.com/tmp/get_session_id.pm
filter : http://vincentveyron.com/tmp/html_head_and_tail.pm

My questions :

-Is there anything wrong with my process?

-What does Apache2::AuthCookie do that I don't already have?


-- 
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

[Perrin Harkins]

On Tue, Jul 12, 2011 at 8:45 AM, Vincent Veyron  wrote:
> -Is there anything wrong with my process?

If it's working for you, then it sounds fine.  Needing to invoke
mod_perl on every hit could be bad if you're trying to protect a lot
of otherwise static pages, but it doesn't sound like you are.  The
file storage of sessions is also limiting (i.e. no clustering), but if
you aren't having trouble with it, no need to change it.

> -What does Apache2::AuthCookie do that I don't already have?

It might have better cookie security.  Mostly it's just the general
advantage of using shared open source code over in-house code that has
no other users improving and debugging it.

- Perrin

Re: Authentication logic [was: Changing browser URL based on condition]

[Vincent Veyron]

Le mercredi 13 juillet 2011 à 13:19 -0400, Perrin Harkins a écrit : 
> On Tue, Jul 12, 2011 at 8:45 AM, Vincent Veyron  wrote:
> > -Is there anything wrong with my process?
> 
> If it's working for you, then it sounds fine.  Needing to invoke
> mod_perl on every hit could be bad if you're trying to protect a lot
> of otherwise static pages, but it doesn't sound like you are. 


Indeed, all pages are dynamic; this is a case management app, so every
page requires queries from the database 

> The
> file storage of sessions is also limiting (i.e. no clustering), but if
> you aren't having trouble with it, no need to change it.
> 

My needs are very modest for the time being, so I did not investigate
this part at all, I must say. 

Could you explain (very briefly) how clustering prevents file storage of
a session?


> > -What does Apache2::AuthCookie do that I don't already have?
> It might have better cookie security.  
> Mostly it's just the general
> advantage of using shared open source code over in-house code that has
> no other users improving and debugging it.

Well, I'll look into it more. Thanks for your input.


-- 
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

[Perrin Harkins]

On Thu, Jul 14, 2011 at 11:21 AM, Vincent Veyron  wrote:
> Could you explain (very briefly) how clustering prevents file storage of
> a session?

A cluster in this case means multiple servers, so they don't share a
filesystem.  There are ways to share files of course, but the common
solution is to put your session data in a database with remote access.

- Perrin

Re: Authentication logic [was: Changing browser URL based on condition]

[Vincent Veyron]

Le jeudi 14 juillet 2011 à 11:34 -0400, Perrin Harkins a écrit :
> On Thu, Jul 14, 2011 at 11:21 AM, Vincent Veyron  wrote:
> > Could you explain (very briefly) how clustering prevents file storage of
> > a session?
> 
> A cluster in this case means multiple servers, so they don't share a
> filesystem.  There are ways to share files of course, but the common
> solution is to put your session data in a database with remote access.
> 

This is what I first did, using Apache::Session. But I noticed the call
to tie was very slow (response time around 70ms with it, 15ms without
it), so I changed for Storable because filesystem reads were much
faster.

Also, I did not find how to store a hash in the database without tie. I
read it's possible to use Data::Dumper to write the data in a field and
read it as Perl code. Would that be a way to do it?

-- 
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

[Michael Peters]

On 07/14/2011 12:57 PM, Vincent Veyron wrote:


This is what I first did, using Apache::Session. But I noticed the call
to tie was very slow (response time around 70ms with it, 15ms without
it), so I changed for Storable because filesystem reads were much
faster.


I don't personally like Apache::Session because of the tie thing, but 
that's more an interface preference than anything else.



Also, I did not find how to store a hash in the database without tie. I
read it's possible to use Data::Dumper to write the data in a field and
read it as Perl code. Would that be a way to do it?


The same way you're doing it now with Storable and a file. But instead 
of reading a file you read a database field.


--
Michael Peters
Plus Three, LP

Re: Authentication logic [was: Changing browser URL based on condition]

[Vincent Veyron]

Le jeudi 14 juillet 2011 à 13:02 -0400, Michael Peters a écrit :
> On 07/14/2011 12:57 PM, Vincent Veyron wrote:

> > Also, I did not find how to store a hash in the database without tie. I
> > read it's possible to use Data::Dumper to write the data in a field and
> > read it as Perl code. Would that be a way to do it?
> 
> The same way you're doing it now with Storable and a file. But instead 
> of reading a file you read a database field.
> 

OK, I must have missed it in the doc, I'll look again. 

Thank you

-- 
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

[Perrin Harkins]

On Thu, Jul 14, 2011 at 3:15 PM, Vincent Veyron  wrote:
> OK, I must have missed it in the doc, I'll look again.

I think you're misunderstand.  Storable doesn't do this for you.  The
idea is you could capture the session in a variable and write that to
a database.

If you'd rather not roll your own but you don't like the
Apache::Session API, look at other stuff on CPAN like CGI::Session.

- Perrin

Re: Authentication logic [was: Changing browser URL based on condition]

[Vincent Veyron]

Le vendredi 15 juillet 2011 à 17:59 -0400, Perrin Harkins a écrit :

> I think you're misunderstand.  Storable doesn't do this for you.  The
> idea is you could capture the session in a variable and write that to
> a database.
> 

Let me explain; I used to do : 
 
tie %session, 'Apache::Session::Postgres', $session_id, {...};

and then

$r->pnotes('session' => \%session);

$session_id is taken from the cookie, %session stores several
parameters/variables. 

As I said, I replaced the call to tie with :

$r->pnotes('session' => Storable::retrieve($session_file));

where $session_file again is retrieved from the cookie.

What I can't find out is : how do I store %session into a database
without using tie??


-- 
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

[Perrin Harkins]

On Sat, Jul 16, 2011 at 1:01 PM, Vincent Veyron  wrote:
> As I said, I replaced the call to tie with :
>
> $r->pnotes('session' => Storable::retrieve($session_file));
>
> where $session_file again is retrieved from the cookie.
>
> What I can't find out is : how do I store %session into a database
> without using tie??

That's what I'm trying to explain.  You can either use the Storable
API to put your session into a string, and then write to a database
using standard DBI, or you can use a pre-built tool like CGI::Session.

To serialize your session to a string, you can do something like this:
use Storable qw(nfreeze);
$serialized = nfreeze \%session;

See the Storable docs for more.

- Perrin

Re: Authentication logic [was: Changing browser URL based on condition]

[Phil Van]

Back to Vincent's original request about session id and login: how secure is
your session id? Have you signed it? If not, someone can try to sending
random IDs and break your authentication.

Well, if you sign it and sign it properly, you basically end up with the
same idea in those "Authen + Ticket + Gate" CPAN modules. Besides a time
stamp, you should also sign with user's IP.  If the cookie is stolen, the
origin of IP may protect as the last hope.

(if you are using https, then all the above procedures do not matter)

The second idea is that you may not need to store session on the server at
all: if the information in the session is merely user information such as
user id, name, email etc., you can concatenate them into the cookie value
(again, sign it). So the next time the user visits, you automatically get
those information back from the cookie.

Cheers.


On Sat, Jul 16, 2011 at 6:06 PM, Perrin Harkins  wrote:

> On Sat, Jul 16, 2011 at 1:01 PM, Vincent Veyron 
> wrote:
> > As I said, I replaced the call to tie with :
> >
> > $r->pnotes('session' => Storable::retrieve($session_file));
> >
> > where $session_file again is retrieved from the cookie.
> >
> > What I can't find out is : how do I store %session into a database
> > without using tie??
>
> That's what I'm trying to explain.  You can either use the Storable
> API to put your session into a string, and then write to a database
> using standard DBI, or you can use a pre-built tool like CGI::Session.
>
> To serialize your session to a string, you can do something like this:
> use Storable qw(nfreeze);
> $serialized = nfreeze \%session;
>
> See the Storable docs for more.
>
> - Perrin
>

Re: Authentication logic [was: Changing browser URL based on condition]

[Vincent Veyron]

Le samedi 16 juillet 2011 à 21:06 -0400, Perrin Harkins a écrit :
> On Sat, Jul 16, 2011 at 1:01 PM, Vincent Veyron  wrote:

> To serialize your session to a string, you can do something like this:
> use Storable qw(nfreeze);
> $serialized = nfreeze \%session;
> 

I see the light!

Thanks a bunch for taking the time to explain.

-- 
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

[Vincent Veyron]

Le samedi 16 juillet 2011 à 22:16 -0700, Phil Van a écrit :
> Back to Vincent's original request about session id and login: 

> (if you are using https, then all the above procedures do not matter)
> 

It's via https, yes.

> The second idea is that you may not need to store session on the
> server at all: if the information in the session is merely user
> information such as user id, name, email etc., you can concatenate
> them into the cookie value (again, sign it). So the next time the user
> visits, you automatically get those information back from the cookie.

I am trying to avoid this, actually : the cookie only holds the session
id for retrieval. The hash stored on the server holds various parameters
for the user's session. 

Very convenient for customization. For instance, I'm using it to store
field headers, which the client can then set to his liking.

-- 
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

[Adam Prime]

On 7/17/2011 1:16 AM, Phil Van wrote:

Back to Vincent's original request about session id and login: how
secure is your session id? Have you signed it? If not, someone can try
to sending random IDs and break your authentication.

Well, if you sign it and sign it properly, you basically end up with the
same idea in those "Authen + Ticket + Gate" CPAN modules. Besides a time
stamp, you should also sign with user's IP.  If the cookie is stolen,
the origin of IP may protect as the last hope.


Tying a session to an IP can be bad if you use a CDN, or you have 
clients that are behind big multihomed transparent proxies.  AOL users 
in particular used to come from various IP's during a single session.


Adam