Welcome to the Monastery | |
PerlMonks |
Mod_Perl Handlers And Getting Rid Of Sessions In The URLby Revelation (Deacon) |
on Sep 15, 2002 at 02:51 UTC ( [id://197980]=perlquestion: print w/replies, xml ) | Need Help?? |
Revelation has asked for the wisdom of the Perl Monks concerning the following question:
I've been working on maintaining state in mod_perl, and converting parts of my mod_perl script into a mod_perl handler to do the bulk of the maintenance; however, a problem has come up. While working on the mod_perl handlers, I began reading the book "Writing Apache Modules With Perl And C." - This gave me some incite on Session ids via an added parameter to the URL, which I had implemented in my old scripts, by just parsing the state parameters in the URL. (My reason for this was to preserve utmost flexibility in the type of users and browsers I would be able to take, as not all people are in love with the infamous cookie.)
'A more serious potential problem with URI-based session IDs is that under some circumstances it is possible for the session ID to "leak" to other sites via the HTTP referrer header (which, for historical reasons, is spelled "Referer").' Being a mod_perl novice (one who doesn't use the inherent power of the Apache module(s)), I was stuck. I resolved to study a little bit more of mod_perl in the hope of finding some way to change the URL on the user's browser from what it was previously, while still keeping the user's session id, usable to the real script. I went on to read about Redirecting While Maintaining Environment Variables', which used the internal_redirect(), and subprocess_env() functions to change the URI, but allow me to keep the pertinent environmental variables. I was doomed to keep looking, when I realized that internal means that it won't show externally (how sad). My current line of thought is using a perltranshandler to strip the session information from the site, and then somehow use an ub3r-uri() to change the URI to the user's browser (which from my understanding uri() does not do), while maintaining the session id. Any advice for a poor mod_perl novice, who can't figure out the answer to his seemingly simple problem? I can only hope that the solution is simple, and that I just haven't read enough to find it. PS: I have heeded merlyn's advice, and made sure that all important functions can only be used five minutes from the last cache hit, but I still feel that it's better to be safe than sorry... Gyan Kapur gyan.kapur@rhhllp.com
Back to
Seekers of Perl Wisdom
|
|