Apache::Session::File and mod

geektron has asked for the wisdom of the Perl Monks concerning the following question:

i've run into an interesting ... side effect of using mod_rewrite and Apache::Session::File. an app that gets redirected via the RewriteEngine seems to lose its POST information ...

the backstory:
an application has a few steps to it, but doesn't *need* to be run through SSL until the final step, a credit card charge. now i suspect i could use GET, but i really don't want to be passing a credit card number in the GET string. it's just bad practice.

i grabbed a bit of Rewrite Rules from the FAQ for mod_ssl (http://httpd.apache.org/docs-2.1/ssl/ssl_faq.html):

RewriteEngine on
RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
[download]

and in the step where the creditcard is POSTed, i've changed the action to: <form name='checkout' method='POST' action='/order/fliers.cgi:SSL'>

URL redirection works like a champ, but a new session_id is generated, and the application ends up back on the first page .... which ... well, defeats the purpose.

before i make the whole app run through SSL (which isn't that big of a deal) is there a way to preserve the POST information across RewriteRules? or is something else going on here (like the SessionFile being tied to an IP:port pair?

Comment on Apache::Session::File and mod_rewrite Select or Download Code

Replies are listed 'Best First'.
Re: Apache::Session::File and mod_rewrite by simonm (Vicar) on May 21, 2004 at 17:41 UTC
in the step where the creditcard is POSTed, i've changed the action to: <form name='checkout' method='POST' action='/order/fliers.cgi:SSL'> Doesn't that mean that you post the credit card data through an unencrypted connection, and then redirect them to an encrypted one? Instead, send them to the SSL version of the page one step before-hand, when you're going to generate that form, and pass the session ID in the query string for that step.	[reply]
Re: Re: Apache::Session::File and mod_rewrite by geektron (Curate) on May 21, 2004 at 17:52 UTC
you raise a good point ... but the behavior is the same regardless of where i attempt the redirection. i just tried.	[reply]
Re: Apache::Session::File and mod_rewrite by joealba (Hermit) on May 21, 2004 at 16:48 UTC
If you are using cookies to store the key for the session, that could be the problem. I've run into that exact issue when going from http to https -- mainly with Internet Explorer. I'd try passing the session key in the POST info and see if that solves the problem. Otherwise, I'd just run the whole app through SSL. But, I don't see anything in the Apache::Session code that would cause it.	[reply]
Re: Re: Apache::Session::File and mod_rewrite by geektron (Curate) on May 21, 2004 at 17:04 UTC
the SID is a hidden field on the page, not stored in the cookie. no cookies in this app ...	[reply]