I've been working on maintaining state in mod_perl, and converting parts of my mod_perl script into a mod_perl handler to do the bulk of the maintenance; however, a problem has come up. While working on the mod_perl handlers, I began reading the book "Writing Apache Modules With Perl And C." - This gave me some incite on Session ids via an added parameter to the URL, which I had implemented in my old scripts, by just parsing the state parameters in the URL. (My reason for this was to preserve utmost flexibility in the type of users and browsers I would be able to take, as not all people are in love with the infamous cookie.)

'A more serious potential problem with URI-based session IDs is that under some circumstances it is possible for the session ID to "leak" to other sites via the HTTP referrer header (which, for historical reasons, is spelled "Referer").'

Being a mod_perl novice (one who doesn't use the inherent power of the Apache module(s)), I was stuck. I resolved to study a little bit more of mod_perl in the hope of finding some way to change the URL on the user's browser from what it was previously, while still keeping the user's session id, usable to the real script. I went on to read about Redirecting While Maintaining Environment Variables', which used the internal_redirect(), and subprocess_env() functions to change the URI, but allow me to keep the pertinent environmental variables.

I was doomed to keep looking, when I realized that internal means that it won't show externally (how sad). My current line of thought is using a perltranshandler to strip the session information from the site, and then somehow use an ub3r-uri() to change the URI to the user's browser (which from my understanding uri() does not do), while maintaining the session id. Any advice for a poor mod_perl novice, who can't figure out the answer to his seemingly simple problem? I can only hope that the solution is simple, and that I just haven't read enough to find it.

PS: I have heeded merlyn's advice, and made sure that all important functions can only be used five minutes from the last cache hit, but I still feel that it's better to be safe than sorry...
Gyan Kapur
gyan.kapur@rhhllp.com

In reply to Mod_Perl Handlers And Getting Rid Of Sessions In The URL by Revelation

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.