Peter Bi wrote:
If you touch SessionDBI for every request, why don't go directly to the
Basic Authentication ?
1. You can't use a custom log in page
2. You can't log out unless you close your browser
3. It's for use by our employees only. They are told to enable cookies. =)
-Fran
- Original Message -
From: Fran Fabrizio [EMAIL PROTECTED]
To: Peter Bi [EMAIL PROTECTED]
Cc: Jeff [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, April 16, 2002 6:33 AM
Subject: Re: Enforcing user logged in from only 1 browser?
Peter Bi wrote:
If you touch SessionDBI for every request
Peter,
2) that depends. First, for some reasons, Internet is designed without
Logout. Many seldom logout from those services such as Yahoo mail, and me
too. For the specific question you posted (one login only for an account),
while it can be in principle designed and implemented, in
[EMAIL PROTECTED] wrote:
How are you handling your sessions? I use Apache::Session::Postgres.
I'm using AuthCookie. A customization of AuthCookieDBI to be specific.
However, I also use Apache::Session. Basically, I authenticate
with AuthCookie, then I pass the authenticated username
It's #5 that's troublesome. I wasn't sure how I could expire the older
session (since the session key that matters is sitting client side). I
guess I could keep a table of invalidated session keys, and check
against that every time in along with all the other checks going on in
I'm not sure I follow your session id problem. When I check a session, I ask
the client for it's ID, then look the session up by ID. To 'expire' the
session, I simply delete it from the session store (File or Postgres).
The confusion is you aren't using sessions in the authentication
Fran Fabrizio wrote:
Unfortunately, there's some terminology muddling...AuthCookie calls it a
session when it establishes that a user is a valid user and sets a
cookie on their browser. Apache::Session considers a session a series
of page hits from the same user. It assumes you've
You would have to do the auth part yourself, as well as the actual
cookie handling, or else hack AuthCookie to cooperate with Apache::Session.
This is exactly what I've done. I've modified AuthCookieDBI to create
an Apache::Session session as soon as it knows it has a valid user.
Then if
pennies...
Regards
Jeff
-Original Message-
From: Perrin Harkins [mailto:[EMAIL PROTECTED]]
Sent: 15 April 2002 16:02
To: Fran Fabrizio
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Enforcing user logged in from only 1 browser?
Fran Fabrizio wrote:
Unfortunately, there's some
Jeff wrote:
Forgive a mod_perl newbie for non mod_perl thinking, but this
is (a simplified overview) of how I would approach this:
request for any protected page
- if no existing session data [so not authenticated]
create new session
remember target page in session
perhaps you can generate a new session id for each page displayed.
for example a user logs in. he gets $sess_id1. automatically the session id
gets changed to $sess_id2 and all the links from that page contain the
second one.
so if he clicks somewhere on the page he will go on to a page with the
How are you handling your sessions? I use Apache::Session::Postgres.
In my scenario, if I needed to do this, I would check the list of valid
sessions I have for one that exists for the user. ie, if 'gphat' tries to
login, I check to see if any of the sessions the db are for user gphat. If
To make a perfect system like this probably needs users to sign-off
faithfully by every session.
Peter Bi
- Original Message -
From: Fran Fabrizio [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 1:22 PM
Subject: Enforcing user logged in from only 1 browser?
13 matches
Mail list logo
