# # Apache::SessionManager.pm - mod_perl module to manage HTTP sessions # # The Apache::SessionManager module is free software; you can redistribute it # and/or modify it under the same terms as Perl itself. # # See 'perldoc Apache::SessionManager' for documentation # package Apache::SessionManager; require 5.005; use strict; use vars qw($VERSION); $VERSION = '1.03'; use mod_perl; use Apache::Session::Flex; use constant MP2 => ($mod_perl::VERSION >= 1.99); if (MP2) { @Apache::SessionManager::ISA = qw(Apache::RequestRec); } else { @Apache::SessionManager::ISA = qw(Apache); } # Test libapreq modules my $libapreq; BEGIN { # Tests mod_perl version and uses the appropriate components if (MP2) { require Apache::Const; Apache::Const->import(-compile => qw(DECLINED REDIRECT)); require Apache::RequestRec; require Apache::SubRequest; require Apache::RequestUtil; require APR::Pool; # for cleanup_register require APR::URI; require Apache::URI; #require Apache::Connection; # for remote_ip } else { require Apache::Constants; Apache::Constants->import(qw(DECLINED REDIRECT)); require Apache::URI; } # Test libapreq modules eval { require Apache::Cookie; Apache::Cookie->can('bake'); Apache::Cookie->can('fetch') }; if ($@) { require CGI::Cookie; $libapreq = 0; } else { $libapreq = 1; } } sub handler { my $r = shift; my (%session_config,%session,$session_id,%cookie_options); return (MP2 ? Apache::DECLINED : Apache::Constants::DECLINED) unless $r->is_initial_req; my $debug_prefix = '[' . $r->connection->remote_ip . "] SessionManager ($$): "; $session_config{'SessionManagerDebug'} = $r->dir_config('SessionManagerDebug') || 0; foreach ( qw/SessionManagerURITracking SessionManagerTracking SessionManagerEnableModBackhand SessionManagerStoreArgs SessionManagerCookieArgs SessionManagerSetEnv SessionManagerExpire SessionManagerHeaderExclude SessionManagerIPExclude/ ) { $session_config{$_} = $r->dir_config($_); } $r->log_error($debug_prefix . '---START REQUEST: ' . $r->uri . ' ---') if $session_config{'SessionManagerDebug'} > 0; #print STDERR "$debug_prefix ---START REQUEST: " . $r->uri . " ---\n" if $session_config{'SessionManagerDebug'} > 0; # Get and remove session ID from URI if ( $session_config{'SessionManagerURITracking'} eq 'On' ) { $r->log_error($debug_prefix . 'start URI ' . $r->uri) if $session_config{'SessionManagerDebug'} > 0; #print STDERR "$debug_prefix start URI " . $r->uri . "\n" if $session_config{'SessionManagerDebug'} > 0; # retrieve session ID from URL (or HTTP 'Referer:' header) my (undef, $uri_session_id, $rest) = split /\/+/, $r->uri, 3; if ( $uri_session_id =~ /^[0-9a-h]+$/ ) { $session_id = $uri_session_id; # Remove the session from the URI $r->uri("/$rest"); $r->log_error($debug_prefix . 'end URI ' . $r->uri) if $session_config{'SessionManagerDebug'} > 0; #print STDERR "$debug_prefix end URI " . $r->uri . "\n" if $session_config{'SessionManagerDebug'} > 0; } } # declines each request if session manager is off return (MP2 ? Apache::DECLINED : Apache::Constants::DECLINED) unless ( $session_config{'SessionManagerTracking'} eq 'On' ); # declines requests matching IP exclusion list if ( $session_config{'SessionManagerIPExclude'} ) { require Socket; foreach ( split(/\s+/,$session_config{'SessionManagerIPExclude'}) ) { $r->log_error($debug_prefix . '_isInRange(' . $r->connection->remote_ip . ",$_)") if $session_config{'SessionManagerDebug'} >= 5; #print STDERR "$debug_prefix _isInRange(" . $r->connection->remote_ip . ",$_)\n" if $session_config{'SessionManagerDebug'} >= 5; return (MP2 ? Apache::DECLINED : Apache::Constants::DECLINED) if _isInRange($r->connection->remote_ip,$_); } } # declines requests matching any of exclusions headers foreach my $header ( $r->dir_config->get('SessionManagerHeaderExclude') ) { my ($key,$value) = split(/\s*=\s*>\s*/,$header,2); # Header and its value must exists in order to check it next unless ($r->headers_in->{$key} && $value); if ( $r->headers_in->{$key} =~ /$value/i ) { return (MP2 ? Apache::DECLINED : Apache::Constants::DECLINED) } } # Set exclusion extension(s) $session_config{'SessionManagerItemExclude'} = $r->dir_config('SessionManagerItemExclude') || '(\.gif|\.jpe?g|\.png|\.mpe?g|\.css|\.js|\.txt|\.mp3|\.wav|\.swf|\.avi|\.au|\.ra?m)$'; # declines requests if resource type is to exlcude return (MP2 ? Apache::DECLINED : Apache::Constants::DECLINED) if ( $r->uri =~ /$session_config{'SessionManagerItemExclude'}/i ); $session_config{'SessionManagerStore'} = $r->dir_config('SessionManagerStore') || 'File'; $session_config{'SessionManagerLock'} = $r->dir_config('SessionManagerLock') || 'Null'; $session_config{'SessionManagerGenerate'} = $r->dir_config('SessionManagerGenerate') || 'MD5'; $session_config{'SessionManagerSerialize'} = $r->dir_config('SessionManagerSerialize') || 'Storable'; $session_config{'SessionManagerExpire'} = $session_config{'SessionManagerExpire'} =~ /^(none|no|disabed)$/i ? 0 : $session_config{'SessionManagerExpire'} !~ /^\d+$/ ? 3600 : $session_config{'SessionManagerExpire'}; $session_config{'SessionManagerInactivity'} = ( $r->dir_config('SessionManagerInactivity') =~ /^\d+$/ ) ? $r->dir_config('SessionManagerInactivity') : undef; $session_config{'SessionManagerName'} = $r->dir_config('SessionManagerName') || 'PERLSESSIONID'; # Print SesssionManager configs to error_log if ( $session_config{'SessionManagerDebug'} >= 3 ) { $r->log_error($debug_prefix . 'configuration settings:'); #print STDERR "$debug_prefix configuration settings\n"; foreach (sort keys %session_config) { $r->log_error($debug_prefix . ' ' x 8 . "$_ = $session_config{$_}"); #print STDERR "\t$_ = $session_config{$_}\n"; } } # Get session ID from cookie unless ( $session_config{'SessionManagerURITracking'} eq 'On' ) { if ( $libapreq ) { # Test libapreq 1 or 2 version to use correct 'fetch' API my %cookies = $Apache::Request::VERSION >= 2 ? Apache::Cookie->fetch($r) : Apache::Cookie->fetch; $session_id = $cookies{$session_config{'SessionManagerName'}}->value if defined $cookies{$session_config{'SessionManagerName'}}; $r->log_error($debug_prefix . 'Apache::Cookie fetch') if $session_config{'SessionManagerDebug'} >= 5; #print STDERR "$debug_prefix Apache::Cookie fetch\n" if $session_config{'SessionManagerDebug'} >= 5; } # Fetch cookies with CGI::Cookie else { # At this phase (HeaderParser | Translation), no $ENV{'COOKIE'} var is set, so we use CGI::Cookie parse method by passing 'Cookie' HTTP header my %cookies = CGI::Cookie->parse($r->headers_in->{'Cookie'}); $session_id = $cookies{$session_config{'SessionManagerName'}}->value if defined $cookies{$session_config{'SessionManagerName'}}; $r->log_error($debug_prefix . 'CGI::Cookie fetch') if $session_config{'SessionManagerDebug'} >= 5; #print STDERR "$debug_prefix CGI::Cookie fetch\n" if $session_config{'SessionManagerDebug'} >= 5; } } # Prepare Apache::Session::Flex options parameters call my %apache_session_flex_options = ( Store => $session_config{'SessionManagerStore'}, Lock => $session_config{'SessionManagerLock'}, Generate => $session_config{'SessionManagerGenerate'}, Serialize => $session_config{'SessionManagerSerialize'} ); # Load session data store specific parameters foreach my $arg ( split(/\s*,\s*/,$session_config{'SessionManagerStoreArgs'}) ) { my ($key,$value) = split(/\s*=\s*>\s*/,$arg); $apache_session_flex_options{$key} = $value; } if ( $session_config{'SessionManagerDebug'} >= 5 ) { $r->log_error($debug_prefix . 'Apache::Session::Flex options:'); #print STDERR "$debug_prefix Apache::Session::Flex options\n"; foreach (sort keys %apache_session_flex_options) { $r->log_error($debug_prefix . ' ' x 8 . "$_ = $apache_session_flex_options{$_}"); # print STDERR "\t$_ = $apache_session_flex_options{$_}\n"; } } # Support for mod_backhand sticky sessions $session_id = substr($session_id,8) if ( $session_config{'SessionManagerEnableModBackhand'} eq 'On' ); # Try to retrieve session object from session ID my $res = _tieSession($r,\%session, $session_id, \%apache_session_flex_options,$session_config{'SessionManagerDebug'},$debug_prefix); # Session ID not found or invalid session: a new object session will be create if ($res) { my $res = _tieSession($r,\%session, undef, \%apache_session_flex_options,$session_config{'SessionManagerDebug'},$debug_prefix); $session_id = undef; } # for new or invalid session's ID put session start time in special session key '_session_start' $session{'_session_start'} = time if ! defined $session{'_session_start'}; # session's expiration date check only for existing sessions if ( $session_id ) { $r->log_error($debug_prefix . "checking TTL session, ID = $session_id ($session{'_session_timestamp'})") if $session_config{'SessionManagerDebug'} > 0; #print STDERR "$debug_prefix checking TTL session, ID = $session_id ($session{'_session_timestamp'})\n" if $session_config{'SessionManagerDebug'} > 0; # Session TTL expired: a new object session is create if ( ( $session_config{'SessionManagerInactivity'} && (time - $session{'_session_timestamp'}) > $session_config{'SessionManagerInactivity'} ) || ( $session_config{'SessionManagerExpire'} && (time - $session{'_session_start'}) > $session_config{'SessionManagerExpire'} ) ) { $r->log_error($debug_prefix . 'session to delete') if $session_config{'SessionManagerDebug'} > 0; #print STDERR "$debug_prefix session to delete\n" if $session_config{'SessionManagerDebug'} > 0; tied(%session)->delete; my $res = _tieSession($r,\%session, undef, \%apache_session_flex_options,$session_config{'SessionManagerDebug'},$debug_prefix); $session_id = undef; $session{'_session_start'} = time; } } # Update '_session_timpestamp' session value only if required $session{'_session_timestamp'} = time if $session_config{'SessionManagerInactivity'}; # store object session reference in pnotes to share it over other handlers $r->pnotes('SESSION_MANAGER_HANDLE' => \%session ); # set 'SESSION_MANAGER_SID' env variable to session ID to make it available to CGI/SSI scripts $r->subprocess_env(SESSION_MANAGER_SID => $session{_session_id}) if ($session_config{'SessionManagerSetEnv'} eq 'On'); MP2 ? $r->pool->cleanup_register(\&cleanup,$r) : $r->register_cleanup(\&cleanup); # Foreach new session we: unless ( $session_id ) { my $session_id = $session{_session_id}; # Adjusts session id for mod_backhand if ( $session_config{'SessionManagerEnableModBackhand'} eq 'On' ) { my $hex_addr = join "", map { sprintf "%lx", $_ } unpack('C4', gethostbyname($r->get_server_name)); $session_id = $hex_addr . $session_id; } # redirect to embedded session ID URI... if ( $session_config{'SessionManagerURITracking'} eq 'On' ) { $r->log_error($debug_prefix . 'URI redirect...') if $session_config{'SessionManagerDebug'} > 0; #print STDERR "$debug_prefix URI redirect...\n" if $session_config{'SessionManagerDebug'} > 0; _redirect($r,$session_id); return MP2 ? Apache::REDIRECT : Apache::Constants::REDIRECT; } # ...or send cookie to browser else { $r->log_error($debug_prefix . 'sending cookie...') if $session_config{'SessionManagerDebug'} > 0; #print STDERR "$debug_prefix sending cookie...\n" if $session_config{'SessionManagerDebug'} > 0; # Load cookie specific parameters foreach my $arg ( split(/\s*,\s*/,$session_config{'SessionManagerCookieArgs'}) ) { my ($key,$value) = split(/\s*=>\s*/,$arg); $cookie_options{'-' . lc($key)} = $value if $key =~ /^(expires|domain|path|secure)$/i; } # Set default cookie path $cookie_options{'-path'} = '/' unless $cookie_options{'-path'}; if ( $session_config{'SessionManagerDebug'} >= 5 ) { $r->log_error($debug_prefix . 'Cookie options:'); #print STDERR "$debug_prefix Cookie options\n"; foreach (sort keys %cookie_options) { $r->log_error($debug_prefix . ' ' x 8 . "$_ = $cookie_options{$_}"); #print STDERR "\t$_ = $cookie_options{$_}\n"; } } # Set cookie with Apache::Cookie if ( $libapreq ) { my $cookie = Apache::Cookie->new($r, name => $session_config{'SessionManagerName'}, value => $session_id, %cookie_options ); $cookie->bake; $r->log_error($debug_prefix . 'Apache::Cookie bake ' . $cookie->as_string) if $session_config{'SessionManagerDebug'} >= 5; #print STDERR ("$debug_prefix Apache::Cookie bake " . $cookie->as_string . "\n") if $session_config{'SessionManagerDebug'} >= 5; } # Set cookie with CGI::Cookie else { my $cookie = CGI::Cookie->new( -name => $session_config{'SessionManagerName'}, -value => $session_id, %cookie_options ); $r->err_headers_out->{'Set-Cookie'} = "$cookie"; $r->log_error($debug_prefix . "CGI::Cookie bake $cookie") if $session_config{'SessionManagerDebug'} >= 5; #print STDERR "$debug_prefix CGI::Cookie bake $cookie\n" if $session_config{'SessionManagerDebug'} >= 5; } } } $r->log_error($debug_prefix . '---END REQUEST---') if $session_config{'SessionManagerDebug'} > 0; #print STDERR "$debug_prefix ---END REQUEST---\n" if $session_config{'SessionManagerDebug'} > 0; return MP2 ? Apache::DECLINED : Apache::Constants::DECLINED; } sub cleanup { my $r = shift; return (MP2 ? Apache::DECLINED : Apache::Constants::DECLINED) unless ( $r->dir_config('SessionManagerTracking') eq 'On' ); my $session = ref $r->pnotes('SESSION_MANAGER_HANDLE') ? $r->pnotes('SESSION_MANAGER_HANDLE') : {}; untie %{$session}; return MP2 ? Apache::DECLINED : Apache::Constants::DECLINED; } sub new { my ($class, $r) = @_; my $session = (ref $r->pnotes('SESSION_MANAGER_HANDLE')) ? $r->pnotes('SESSION_MANAGER_HANDLE') : {}; return bless { r => $r, session => $session }, $class; } sub get_session_param { my ($r,@args) = @_; if ( ! @args ) { @args = keys %{$r->{session}}; } my @ary; foreach ( @args ) { push @ary, $r->{session}->{$_}; } return wantarray ? @ary: "@ary"; } sub set_session_param { my ($r,%args) = @_; foreach ( keys %args ) { # to avoid ovverride session special keys next if /^_session/; $r->{session}->{$_} = $args{$_}; } } sub delete_session_param { my ($r,@args) = @_; foreach ( @args ) { # to avoid ovverride session special keys next if /^_session/; delete $r->{session}->{$_}; } } sub get_session { my $r = shift; return ($r->pnotes('SESSION_MANAGER_HANDLE')) ? $r->pnotes('SESSION_MANAGER_HANDLE') : (); } sub destroy_session { my $r = shift; my $session = (ref $r->pnotes('SESSION_MANAGER_HANDLE')) ? $r->pnotes('SESSION_MANAGER_HANDLE') : {}; tied(%{$session})->delete; } sub _tieSession { my ($r,$session_ref,$id,$options,$debug,$debug_prefix) = @_; eval { tie %{$session_ref}, 'Apache::Session::Flex', $id, $options; }; $r->log_error($debug_prefix . "Tied session ID = $$session_ref{_session_id}$@") if $debug >= 3; #print STDERR "Tied session ID = $$session_ref{_session_id}\n$@" if $debug >= 3; return $@ if $@; } # _redirect function adapted from original redirect sub wrote by Greg Cope sub _redirect { my $r = shift; my $session_id = shift || ''; my ($args, $host, $rest, $redirect); ($host, $rest) = split '/', $r->uri, 2; $args = $r->args || ''; $args = '?' . $args if $args; $r->content_type('text/html'); # "suggest by Gerald Richter / Matt Sergeant to add scheme://hostname:port to redirect" (Greg's original note) my $uri = MP2 ? APR::URI->parse($r->pool,$r->construct_url) : Apache::URI->parse($r); # hostinfo give port if necessary - otherwise not my $hostinfo = $uri->hostinfo; my $scheme = $uri->scheme . '://'; $session_id .= '/' if $session_id; $redirect = $scheme . $hostinfo . '/'. $session_id . $rest . $args; # if no slash and it's a dir add a slash if ($redirect !~ m#/$# && -d $r->lookup_uri($redirect)->filename) { $redirect .= '/'; } $r->headers_out->{'Location'} = $redirect; } sub _isInRange { my ($addr,$base) = @_; my $bits; ($base, $bits) = split /[\/:]/, $base; return ( (4 == grep { $_ < 256 && /^\d+$/ } split(/\./, $base)) && (4 == grep { $_ < 256 && /^\d+$/ } split(/\./, $addr)) && ($bits =~ /^\d*$/ && $bits <= 32) && ((unpack("N", Socket::inet_aton($base)) >> (32 - $bits)) == (unpack ("N", Socket::inet_aton($addr)) >> (32 - $bits))) ) ? 1 : 0; } 1; __END__ =pod =head1 NAME Apache::SessionManager - mod_perl 1.0/2.0 session manager extension to manage sessions over HTTP requests =head1 SYNOPSIS In F (mod_perl 1): PerlModule Apache::SessionManager PerlTransHandler Apache::SessionManager SetHandler perl-script PerlHandler Apache::MyModule PerlSetVar SessionManagerTracking On PerlSetVar SessionManagerExpire 3600 PerlSetVar SessionManagerInactivity 900 PerlSetVar SessionManagerStore File PerlSetVar SessionManagerStoreArgs "Directory => /tmp/apache_sessions" PerlSetVar SessionManagerTracking Off In F (mod_perl 2): PerlModule Apache2 PerlModule Apache::SessionManager PerlTransHandler Apache::SessionManager SetHandler perl-script PerlResponseHandler Apache::MyModule PerlSetVar SessionManagerTracking On PerlSetVar SessionManagerExpire 3600 PerlSetVar SessionManagerInactivity 900 PerlSetVar SessionManagerStore File PerlSetVar SessionManagerStoreArgs "Directory => /tmp/apache_sessions" In a mod_perl module handler: sub handler { my $r = shift; my $session = Apache::SessionManager::get_session($r); ... } =head1 DESCRIPTION Apache::SessionManager is a mod_perl (1.0 and 2.0) module that helps session management of a web application. This module is a wrapper around L persistence framework for session data. It creates a session object and makes it available to all other handlers transparenlty by putting it in pnotes. In a mod_perl handlers you can retrieve the session object directly from pnotes with predefined key C: my $session = $r->pnotes('SESSION_MANAGER_HANDLE') ? $r->pnotes('SESSION_MANAGER_HANDLE') : (); then it is possible to set a value in current session with: $$session{'key'} = $value; # same as $session->{'key'} = $value; or it is possible to read value session with: print "$$session{'key'}"; # same as print $session->{'key'}; Apache::SessionManager is intended also to use within thirdy part packages. See L for more info. =head1 MOD_PERL 2 COMPATIBILITY Since version 1, Apache::SessionManager is fully compatible with both mod_perl generations 1.0 and 2.0. If you have mod_perl 1.0 and 2.0 installed on the same system and the two uses the same per libraries directory, to use mod_perl 2.0 version make sure to load first C module which will perform the necessary adjustements to C<@INC>: PerlModule Apache2 PerlModule Apache::SessionManager Of course, notice that if you use mod_perl 2.0, there is no need to pre-load the L compatibility layer. Versions of Apache::SessionManager less than 1.00 are mod_perl 1.0 only, so its works fine with mod_perl 2.0 only under L. =head1 API OVERVIEW Apache::SessionManager offers two kinds of interfaces: functional and object oriented. For a detailed description for the last one, see L section. The following functions are provided (but not exported) by this module: =over 4 =item Crequest)> Return an hash reference to current session object. In a mod_perl module handler: sub handler { my $r = shift; my $session = Apache::SessionManager::get_session($r); ... } In a CGI L script: my $session = Apache::SessionManager::get_session(Apache->request); =item Crequest)> Destroy the current session object. In a mod_perl module handler: sub handler { my $r = shift; ... Apache::SessionManager::destroy_session($r); ... } In a CGI L script: Apache::SessionManager::destroy_session(Apache->request); =back =head1 METHODS Apache::SessionManager also provides an object oriented interface described in this section. Apache::SessionManager subclass C<$r> Apache request object by adding following methods: =over 4 =item Crequest)> Tipically, in a mod_perl module handler: sub handler { my $r = new Apache::SessionManager(shift); ... } =item C<$r-Eget_session> Return an hash reference to current session object. my $session = $r->get_session; It is the equivalent of C functional approach. =item C<$r-Eget_session_param( $session_key,...)> Returns an array containing session values correspondent to keys passed as arguments. my @values = $r->get_session_param('foo', 'baz'); Called with no args, return all session values. In a scalar context return the stringyfied version of array. =item C<$r-Eset_session_param( %args );> Set session values: $r->set_session_param( foo => $foo, baz => \%baz ); Called with no arguments, has no effects. =item C<$r-Edelete_session_param( $session_key,...)> Delete session values: $r->delete_session_param('foo', 'baz'); Called with no arguments, has no effects. =item C<$r-Edestroy_session> Destroy the current session object. It is the equivalent of C functional approach. =back =head1 INSTALLATION In order to install and use this package you will need Perl version 5.005 or better. Prerequisites: =over 4 =item * mod_perl 1.0 or 2.0 is required (of course) with the appropriate call-back hooks (PERL_TRANS=1 PERL_HEADER_PARSER=1) =item * Apache::Session >= 0.53 is required =item * Apache::Cookie >= 0.33 (libapreq) is preferred but not required (CGI::Cookie will be used instead) =item * CGI::Cookie (used only if Apache::Request isn't installed) =back Installation as usual: % perl Makefile.PL % make % make test % su Password: ******* % make install =head1 CONFIGURATION To enable session tracking with this module you could modify F or F<.htaccess> files. =head2 Configuring via F To enable session tracking with this module via F (or any files included by the C directive) you must add the following lines: PerlModule Apache::SessionManager PerlTransHandler Apache::SessionManager PerlSetVar SessionManagerTracking On This will activate the session manager over each request. It is posibible to activate this module only in certain locations: PerlSetVar SessionManagerTracking On Also, it is possible to deactivate session management explicitly: PerlSetVar SessionManagerTracking Off B: If you want to control session management by directory, you cannot use C, but you must install the module in a phase where the mapping of URI->filename has been made. Generally C
phase is a good place: PerlModule Apache::SessionManager SetHandler perl-script PerlHandler Apache::Registry PerlSendHeader On PerlSetupEnv On Options ExecCGI PerlHeaderParserHandler Apache::SessionManager PerlSetVar SessionManagerTracking On PerlSetVar SessionManagerExpire 3600 PerlSetVar SessionManagerInactivity 900 PerlSetVar SessionManagerName REGISTRY_SESSIONID PerlSetVar SessionManagerStore File PerlSetVar SessionManagerStoreArgs "Directory => /tmp/apache_sessions" =head2 Configuring via F<.htaccess> In the case you don't have access to F or you want work with F<.htaccess> files only , you can put similar directives directly into an F<.htaccess> file: PerlHeaderParserHandler Apache::SessionManager PerlSetVar SessionManagerTracking On PerlSetVar SessionManagerExpire 3600 PerlSetVar SessionManagerInactivity 900 PerlSetVar SessionManagerName PERLSESSIONID PerlSetVar SessionManagerStore File PerlSetVar SessionManagerStoreArgs "Directory => /tmp/apache_session" PerlSetVar SessionManagerDebug 5 The only difference is that you cannot use C directive (I used C) and you must install Apache::SessionManager in C
phase of Apache request instead of C phase. =head2 Notes on using F<.htaccess> instead of F =over 4 =item * In this cases it is necessary to install Apache::SessionManager in C
phase and not into C phase (in this phase, F<.htaccess> hasn't yet been processed). =item * Using F<.htaccess>, it is possible to use only cookies for the session tracking. =back See L for more info about module configuration and use within thirdy part packages. =head1 DIRECTIVES You can control the behaviour of this module by configuring the following variables with C directive in the F (or F<.htaccess> files) =over 4 =item C On|Off This single directive enables session traking PerlSetVar SessionManagerTracking On It can be placed in server config, , , , and F<.htaccess> context. The default value is C. =item C On|Off This single directive enables session URI traking PerlSetVar SessionManagerURITracking On where the session ID is embedded in the URI. This is a possible cookieless solution to track session ID between browser and server. Please see L section below for more details. The default value is C. =item C number This single directive defines global sessions expiration time (in seconds). PerlSetVar SessionManagerExpire 900 If non set, the default value is C<3600> seconds. A C<0> explicit value means no expiration time session control, and the session will die when the user will close the browser. Because both mod_perl 1 (to 1.29) and 2 (to 1.99_11, fixed in 1.99_12-dev) has a bug which with "C", C<$-Edir_config('Foo')> return C instead of C<0>, there are the aliases C or C or C which can be used instead of C<0>: PerlSetVar SessionManagerExpire none The module put the user start session time in a special session key C<_session_start>. =item C number This single directive defines user inactivity sessions expiration time (in seconds). PerlSetVar SessionManagerInactivity 900 If not specified no user inactivity expiration policies are applied. The module put the user timestamp in a special session key C<_session_timestamp>. =item C string This single directive defines session cookie name PerlSetVar SessionManagerName PSESSID The default value is C =item C With this directive you can provide optional arguments for cookie attributes setting. The arguments are passed as comma-separated list of name/value pairs. The only attributes accepted are: =over 4 =item * Domain Set the domain for the cookie. =item * Path Set the path for the cookie. =item * Secure Set the secure flag for the cookie. =item * Expires Set expire time for the cookie. =back For instance: PerlSetVar SessionManagerCookieArgs "Path => /some-path, \ Domain => .yourdomain.com, \ Secure => 1" Please see the documentation for L or L in order to see more cookie arguments details. =item C datastore This single directive sets the session datastore used by L framework PerlSetVar SessionManagerStore File The following datastore plugins are available with L distribution: =over 4 =item * File Sessions are stored in file system =item * MySQL Sessions are stored in MySQL database =item * Postgres Sessions are stored in Postgres database =item * Sybase Sessions are stored in Sybase database =item * Oracle Sessions are stored in Oracle database =item * DB_File Sessions are stored in DB files =back In addition to datastore plugins shipped with L, you can pass the modules you want to use as arguments to the store constructor. The Apache::Session::Whatever part is appended for you: you should not supply it. If you wish to use a module of your own making, you should make sure that it is available under the L package namespace. For example: PerlSetVar SessionManagerStore SharedMem in order to use L to store sessions in RAM (but you must install L before!) The default value is C. =item C Null|MySQL|Semaphore|File This single directive set lock manager for L. The default value is C. =item C MD5|ModUniqueId|ModUsertrack This single directive set session ID generator for L. The default value is C. =item C Storable|Base64|UUEncode This single directive set serializer for L. The default value is C. =item C With this directive you must provide whatever arguments are expected by the backing store and lock manager that you've chosen. The arguments are passed as comma-separated list of name/value pairs. For instance if you use File for your datastore, you need to pass store and lock directories: PerlSetVar SessionManagerStoreArgs "Directory => /tmp/apache_sessions, \ LockDirectory => /tmp/apache_sessions/lock" If you use MySQL for your datastore, you need to pass database connection informations: PerlSetVar SessionManagerStoreArgs "DataSource => dbi:mysql:sessions, \ UserName => user, \ Password => password" Please see the documentation for store/lock modules in order to pass right arguments. =item C string|regex This single directive defines the exclusion string. For example: PerlSetVar SessionManagerItemExclude exclude_string All the HTTP requests containing the 'exclude_string' string in the URI will be declined. Also is possible to use regex: PerlSetVar SessionManagerItemExclude "\.m.*$" and all the request (URI) ending by ".mpeg", ".mpg" or ".mp3" will be declined. If C isn't defined, the default value is: C<(\.gif|\.jpe?g|\.png|\.mpe?g|\.css|\.js|\.txt|\.mp3|\.wav|\.swf|\.avi|\.au|\.ra?m)$> B If you want process each request, you can set C with: PerlSetVar SessionManagerItemExclude "^$" =item C This directive allows to define HTTP headers contents in order to decline requests that match them. For example: PerlSetVar SessionManagerHeaderExclude "User-Agent => SomeBot" All the HTTP requests containing the 'SomeBot' string in the HTTP C header will be declined. Also is possible to use regex: PerlSetVar SessionManagerHeaderExclude "User-Agent => SomeBot\s*/\*\d+\.\d+" All HTTP headers are available (case sensitive) to use in the exclusion rules. In order to set more than one rule you must use C directive: PerlSetVar SessionManagerHeaderExclude "User-Agent => SomeBot\s*/\*\d+\.\d+" PerlAddVar SessionManagerHeaderExclude "User-Agent => GoogleBot" PerlAddVar SessionManagerHeaderExclude "Referer => ^http:\/\/some\.host\.com" Why could be useful to decline request based on HTTP headers check? If you store session ID in the URI, this prevent bot search engines to index URL with the session ID. =item C IP-list Matchs client IP addresses against IP list and declines request. It's possible to set an IP address and optionally a bitmask: 233.76.193.0/24 233.76.193.1/32 (or simply 233.76.193.1) For example: PerlSetVar SessionManagerIPExclude "127.0.0.0/8 192.168.0.0/16 195.31.218.3" Note that since C<1.03> Apache::SessionManager version, non dotted-quad IP will be skipped. =item C On|Off Sets the C environment variable with the current (valid) session ID: PerlSetVar SessionManagerSetEnv On It makes session ID available to CGI scripts for use in absolute links or redirects. The default value is C. To retrieve the C environment variabile you can do, for instance: =over =item * mod_perl print $r->subprocess_env('SESSION_MANAGER_SID'); =item * CGI print $ENV{'SESSION_MANAGER_SID'}; =item * Server Side Includes =back =item C level This single directive set debug level. PerlSetVar SessionManagerDebug 3 If greather than zero, debug informations will be print to STDERR. The default value is C<0> (no debug information will be print). =item C On|Off This single directive enable mod_backhand sticky session load balancing support. Someone asked me this feature, so I've added it. PerlSetVar SessionManagerEnableModBackhand On A few words on mod_backhand. mod_backhand is a load balancing Apache module. mod_backhand can attempt to find a cookie in order to hex decodes the first 8 bytes of its content into an IPv4 style IP address. It will attempt to find this IP address in the list of candidates and if it is found it will make the server in question the only remaining candidate. This can be used to implement sticky user sessions -- where a given user will always be delivered to the same server once a session has been established. Simply turning on this directive, you add hex IP address in front to session_id. See mod_backhand docs for more details (L). The default value is C. =back =head1 URI TRACKING NOTES There are some considerations and issues in order to use the session ID embedded in the URI. In fact, this is a possible cookieless solution to track session ID between browser and server. If you enable session ID URI tracking you must place all the C directives you need in server config context (that is outside of or sections) otherwise the handler will not work for these requests. The reason of this is that the URI will be rewrite with session ID on the left and all that you've defined will match no longer. Alternatively it is possible to use section. For instance: PerlModule Apache::SessionManager PerlTransHandler Apache::SessionManager SetHandler perl-script PerlHandler MyModule PerlSetVar SessionManagerTracking On PerlSetVar SessionManagerURITracking On PerlSetVar SessionManagerStore File PerlSetVar SessionManagerStoreArgs "Directory => /tmp/apache_sessions" to match also URI with embedded session ID. Another issue is if you use a front-end/middle-end architecture with a reverse proxy front-end server in front (for static content) and a mod_perl enabled server in middle tier to serve dynamic contents. If you use Apache as reverse proxy it became impossible to set the ProxyPass directive either because it can be palced only in server config and/or context, either because it isn't support for regex to match session ID embedded in the URI. In this case, you can use the proxy support available via the C Apache module by putting in front-end server's F: ProxyPass /my-app-dir http://middle-end.server.com:9000/my-app-dir ProxyPassReverse / http://middle-end.server.com:9000/ RewriteEngine On RewriteRule (^/([0-9a-h]+/)?my-app-dir.*) http://middle-end.server.com:9000$1 [P,L] Take careful to make all links to static content as non relative link (use "http://myhost.com/images/foo.gif" or "/images/foo.gif") or the rewrite engine will proxy these requests to mod_perl server. =head1 EXAMPLES This is a simple mod_perl handler F: package Apache::MyModule; use strict; use Apache::Constants qw(:common); sub handler { my $r = shift; # retrieve session my $session = Apache::SessionManager::get_session($r); # set a value in current session $$session{'key'} = "some value"; # same as $session->{'key'} = "some value"; # read value session print $$session{'key'}; # same as print $session->{'key'}; # destroy session explicitly Apache::SessionManager::destroy_session($r); ... return OK; } and the correspondent configuration lines in F: PerlModule Apache::SessionManager PerlTransHandler Apache::SessionManager SetHandler perl-script PerlHandler Apache::MyModule PerlSetVar SessionManagerTracking On PerlSetVar SessionManagerExpire 3600 PerlSetVar SessionManagerInactivity 900 PerlSetVar SessionManagerStore File PerlSetVar SessionManagerStoreArgs "Directory => /tmp/apache_sessions" See also F directory of this distribution for more examples used in Apache live tests. =head1 TODO =over 4 =item * Use Apache::Test instead of Apache::testold for testing =item * Add the possibility of auto-switch session ID tracking from cookie to URI in cookieless situation. =item * Add the query string param support (other than cookie and URI) to track session ID between browser and server. =item * Include into the distro the session cleanup script (the scripts I use for cleanup actually) =item * Embed the cleanup policies not in a external scripts but in a register_cleanup method =item * Test, test ,test ;-) =back =head1 AUTHORS Enrico Sorcinelli =head1 THANKS A particular thanks to Greg Cope for freeing Apache::SessionManager namespace from his RFC (October 2000). His SessionManager project can be found at http://sourceforge.net/projects/sessionmanager =head1 BUGS This library has been tested by the author with Perl versions 5.005, 5.6.x and 5.8.x on different platforms: Linux 2.2 and 2.4, Solaris 2.6 and 2.7 and Windows 98/XP. Please submit bugs to CPAN RT system at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Apache-SessionManager or by email at bug-apache-sessionmanager@rt.cpan.org Patches are welcome and I'll update the module if any problems will be found. =head1 VERSION Version 1.03 =head1 SEE ALSO L, L, L, L, L, L, L, perl(1) =head1 COPYRIGHT AND LICENSE Copyright (C) 2001-2004 Enrico Sorcinelli. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself. =cut