Apache-ASP
view release on metacpan or search on metacpan
If your asp application falls under the server url "/asp",
then you would set this variable to /asp. This then allows
you to run different applications on the same server, with
different user sessions for each application.
PerlSetVar CookiePath /
=item CookieDomain
Default 0, this NON-PORTABLE configuration will allow sessions to span
multiple web sites that match the same domain root. This is useful if
your web sites are hosted on the same machine and can share the same
StateDir configuration, and you want to shared the $Session data
across web sites. Whatever this is set to, that will add a
; domain=$CookieDomain
part to the Set-Cookie: header set for the session-id cookie.
PerlSetVar CookieDomain .your.global.domain
=item SessionTimeout
Default 20 minutes, when a user's session has been inactive for this
period of time, the Session_OnEnd event is run, if defined, for
that session, and the contents of that session are destroyed.
PerlSetVar SessionTimeout 20
=item SecureSession
default 0. Sets the secure tag for the session cookie, so that the cookie
will only be transmitted by the browser under https transmissions.
PerlSetVar SecureSession 1
=item HTTPOnlySession
default 0. Sets HttpOnly flag to session cookie to mitigate XSS attacks.
Supported by most modern browsers, it only allows access to the
session cookie by the server (ie NOT Javascript)
PerlSetVar HTTPOnlySession 1
=item ParanoidSession
default 0. When true, stores the user-agent header of the browser
that creates the session and validates this against the session cookie presented.
If this check fails, the session is killed, with the rationale that
there is a hacking attempt underway.
This config option was implemented to be a smooth upgrade, as
you can turn it off and on, without disrupting current sessions.
Sessions must be created with this turned on for the security to take effect.
This config option is to help prevent a brute force cookie search from
being successful. The number of possible cookies is huge, 2^128, thus making such
a hacking attempt VERY unlikely. However, on the off chance that such
an attack is successful, the hacker must also present identical
browser headers to authenticate the session, or the session will be
destroyed. Thus the User-Agent acts as a backup to the real session id.
The IP address of the browser cannot be used, since because of proxies,
IP addresses may change between requests during a session.
There are a few browsers that will not present a User-Agent header.
These browsers are considered to be browsers of type "Unknown", and
this method works the same way for them.
Most people agree that this level of security is unnecessary, thus
it is titled paranoid :)
PerlSetVar ParanoidSession 0
=item SessionSerialize
default 0, if true, locks $Session for duration of script, which
serializes requests to the $Session object. Only one script at
a time may run, per user $Session, with sessions allowed.
Serialized requests to the session object is the Microsoft ASP way,
but is dangerous in a production environment, where there is risk
of long-running or run-away processes. If these things happen,
a session may be locked for an indefinite period of time. A user
STOP button should safely quit the session however.
PerlSetVar SessionSerialize 0
=item SessionCount
default 0, if true enables the $Application->SessionCount API
which returns how many sessions are currently active in
the application. This config was created
because there is a performance hit associated with this
count tracking, so it is disabled by default.
PerlSetVar SessionCount 1
=head2 Cookieless Sessions
=item SessionQueryParse
default 0, if true, will automatically parse the $Session
session id into the query string of each local URL found in the
$Response buffer. For this setting to work therefore,
buffering must be enabled. This parsing will only occur
when a session cookie has not been sent by a browser, so the
first script of a session enabled site, and scripts viewed by
web browsers that have cookies disabled will trigger this behavior.
Although this runtime parsing method is computationally
expensive, this cost should be amortized across most users
that will not need this URL parsing. This is a lazy programmer's
dream. For something more efficient, look at the SessionQuery
setting. For more information about this solution, please
read the SESSIONS section.
PerlSetVar SessionQueryParse 0
=item SessionQueryParseMatch
default 0, set to a regexp pattern that matches all URLs that you
the client may see a 50% to 90% reduction in HTML output.
I have seen 40K of HTML squeezed down to just under 6K.
This will come at a 5%-20% hit to CPU usage per request
compressed.
Note there are some cases when a browser says it will accept
gzip encoding, but then not render it correctly. This
behavior has been seen with IE5 when set to use a proxy but
not using a proxy, and the URL does not end with a .html or .htm.
No work around has yet been found for this case so use at your
own risk.
PerlSetVar CompressGzip 1
=item FormFill
default 0, if true will auto fill HTML forms with values
from $Request->Form(). This functionality is provided
by use of HTML::FillInForm. For more information please
see "perldoc HTML::FillInForm", and the
example ./site/eg/formfill.asp.
This feature can be enabled on a per form basis at runtime
with $Response->{FormFill} = 1
PerlSetVar FormFill 1
=item TimeHiRes
default 0, if set and Time::HiRes is installed, will do
sub second timing of the time it takes Apache::ASP to process
a request. This will not include the time spent in the
session manager, nor modperl or Apache, and is only a
rough approximation at best.
If Debug is set also, you will get a comment in your
HTML output that indicates the time it took to process
that script.
If system debugging is set with Debug -1 or -2, you will
also get this time in the Apache error log with the
other system messages.
=head2 Mail Administration
Apache::ASP has some powerful administrative email
extensions that let you sleep at night, knowing full well
that if an error occurs at the web site, you will know
about it immediately. With these features already enabled,
it was also easy to provide the $Server->Mail(\%mail) API
extension which you can read up about in the OBJECTS section.
=item MailHost
The mail host is the smtp server that the below Mail* config directives
will use when sending their emails. By default Net::SMTP uses
smtp mail hosts configured in Net::Config, which is set up at
install time, but this setting can be used to override this config.
The mail hosts specified in the Net::Config file will be used as
backup smtp servers to the MailHost specified here, should this
primary server not be working.
PerlSetVar MailHost smtp.yourdomain.com.foobar
=item MailFrom
Default NONE, set this to specify the default mail address placed
in the From: mail header for the $Server->Mail() API extension,
as well as MailErrorsTo and MailAlertTo.
PerlSetVar MailFrom youremail@yourdomain.com.foobar
=item MailErrorsTo
No default, if set, ASP server errors, error code 500, that result
while compiling or running scripts under Apache::ASP will automatically
be emailed to the email address set for this config. This allows
an administrator to have a rapid response to user generated server
errors resulting from bugs in production ASP scripts. Other errors, such
as 404 not found will be handled by Apache directly.
An easy way to see this config in action is to have an ASP script which calls
a die(), which generates an internal ASP 500 server error.
The Debug config of value 2 and this setting are mutually exclusive,
as Debug 2 is a development setting where errors are displayed in the browser,
and MailErrorsTo is a production setting so that errors are silently logged
and sent via email to the web admin.
PerlSetVar MailErrorsTo youremail@yourdomain.com
=item MailAlertTo
The address configured will have an email sent on any ASP server error 500,
and the message will be short enough to fit on a text based pager. This
config setting would be used to give an administrator a heads up that a www
server error occurred, as opposed to MailErrorsTo would be used for debugging
that server error.
This config does not work when Debug 2 is set, as it is a setting for
use in production only, where Debug 2 is for development use.
PerlSetVar MailAlertTo youremail@yourdomain.com
=item MailAlertPeriod
Default 20 minutes, this config specifies the time in minutes over
which there may be only one alert email generated by MailAlertTo.
The purpose of MailAlertTo is to give the admin a heads up that there
is an error at the www server. MailErrorsTo is for to aid in speedy
debugging of the incident.
PerlSetVar MailAlertPeriod 20
=head2 File Uploads
=item FileUploadMax
default 0, if set will limit file uploads to this
size in bytes. This is currently implemented by
--$rv = $Response->Include({ File => ..., Cache => 1});
now works to get the first returned value fetched from
the cache. Before, because a list was always returned,
$rv would have been equal to the number of items returned,
even if the return value list has just one element.
(d) added site/robots.txt file with just a comment for
search engine indexing
-fixed ./site/eg/binary_write.htm to not use
$Response->{ContentLength} because it does not exist.
Fixed it to use $Response->AddHeader now instead
=item $VERSION = 2.41; $DATE="09/29/2002"
-Removed CVS Revision tag from Apache::ASP::Date, which
was causing bad revision numbers in CPAN after CVS integration
of Apache::ASP
+removed cgi/asp link to ../asp-perl from distribution. This
link was for the deprecated asp script which is now asp-perl
=item $VERSION = 2.39; $DATE="09/10/2002"
-Turn off $^W explicitly before reloading global.asa. Reloading
global.asa when $^W is set will trigger subroutine redefinition
warnings. Reloading global.asa should occur without any problems
under normal usage of the system, thus this work around.
This fix is important to UseStrict functionality because warnings
automatically become thrown as die() errors with UseStrict enabled,
so we have to disable normal soft warnings here.
-$Response->Include() runtime errors now throw a die() that
can be trapped. This was old functionality that has been restored.
Other compile time errors should still trigger a hard error
like script compilation, global.asa, or $Response->Include()
without an eval()
+Some better error handling with Debug 3 or -3 set, cleaned
up developer errors messages somewhat.
=item $VERSION = 2.37; $DATE="07/03/2002"
-Fixed the testing directory structures for t/long_names.t
so that tar software like Archive::Tar & Solaris tar that
have problems with long file names will still be able
to untar distribution successfully. Now t/long_names.t
generates its testing directory structures at runtime.
-Fixes for "make test" to work under perl 5.8.0 RC2,
courtesy of Manabu Higashida
+SessionQueryForce setting created for disabling use of cookies
for $Session session-id passing, rather requiring use of SessionQuery*
functionality for session-id passing via URL query string.
By default, even when SessionQuery* options are used, cookies will
be used if available with SessionQuery* functionality acting only
as a backup, so this makes it so that cookies will never be used.
+Escape ' with HTMLEncode() to '
-Trying to fix t/server_mail.t to work better for platforms
that it should skip testing on. Updated t/server.t test case.
+Remove exit() from Makefile.PL so CPAN.pm's automatic
follow prereq mechanism works correctly. Thanks to Slaven Rezic
for pointing this out.
+Added Apache::compat loading in mod_perl environment for better
mod_perl 2.0 support.
=item $VERSION = 2.35; $DATE="05/30/2002"
+Destroy better $Server & $Response objects so that my
closure references to these to not attempt to work in the future
against invalid internal data. There was enough data left in these
old objects to make debugging the my closure problem confusing, where
it looked like the ASP object state became invalid.
+Added system debug diagnostics to inspect StateManager group cleanup
(d) Documentation update about flock() work around for
Win95/Win98/WinMe systems, confirmed by Rex Arul
(d) Documentation/site build bug found by Mitsunobu Ozato,
where <% %> not being escaped correctly with $Server->HTMLEncode().
New japanese documentation project started by him
at http://sourceforge.jp/projects/apache-asp-jp/
-InitPackageGlobals() called after new Apache::ASP object created so
core system templates can be compiled even when there was a runtime
compilation error of user templates. Bug fix needed pointed out by
Eamon Daly
=item $VERSION = 2.33; $DATE="04/29/2002"
- fixed up t/server_mail.t test to skip if a sendmail server
is not available on localhost. We only want the test to run
if there is a server to test against.
+ removed cgi/asp script, just a symlink now to the ./asp-perl script
which in this way deprecates it. I had it hard linked, but the
distribution did not untar very well on win32 platform.
+ Reordered the modules in Bundle::Apache::ASP for a cleaner install.
- Fixed bug where XMLSubs where removing <?xml version ... ?> tag
when it was needed in XSLT mode.
+ $Server->Mail({ CC => '...', BCC => '...' }), now works to send
CC & BCC headers/recipients.
+ Removed $Apache::ASP::Register definition which defined the current
executing Apache::ASP object. Only one part of the application was
using it, and this has been fixed. This would have been an unsafe
use of globals for a threaded environment.
+ Decreased latency when doing Application_OnStart, used to sleep(1)
compilation time.
+String optimization on internal rendering that avoids
unnecessary copying of static html, by using refs. Should
make a small difference on sites with large amounts of
static html.
+CompressGzip setting which, when Compress::Zlib is installed,
will compress text/html automatically going out to the web
browser if the client supports gzip encoding.
++Script_OnFlush event handler, and auxiliary work optimizing
asp events in general. $Response->{BinaryRef} created which
is a reference to outgoing output, which can be used
to modify the data at runtime before it goes out to the client.
+Some code optimizations that boost speed from 22 to 24
hits per second when using Sessions without $Application,
on a simple hello world benchmark on a WinNT PII300.
++Better SessionManagement, more aware of server farms that
don't have reliable NFS locking. The key here is to have only
one process on one server in charge of session garbage collection
at any one time, and try to create this situation with a snazzy
CleanupMaster routine. This is done by having a process register
itself in the internal database with a server key created at
apache start time. If this key gets stale, another process can
become the master, and this period will not exceed the period
SessionTimeout / StateManager.
** Work on session manager sponsored by LRN, http://www.lrn.com. **
** This work was used to deploy a server farm in production with **
** NFS mounted StateDir. Thanks to Craig Samuel for his belief in **
** open source. :) **
Future work for server farm capabilities might include breaking
up the internal database into one of 256 internal databases
hashed by the first 2 chars of the session id. Also on the plate
is Apache::Session like abilities with locking and/or data storage
occuring in a SQL database. The first dbs to be done will include
MySQL & Oracle.
+Better session security which will create a new session id for an
incoming session id that does not match one already seen. This will
help for those with Search engines that have bookmarked
pages with the session ids in the query strings. This breaks away
from standard ASP session id implementation which will automatically
use the session id presented by the browser, now a new session id will
be returned if the presented one is invalid or expired.
-$Application->GetSession will only return a session if
one already existed. It would create one before by default.
+Script_OnFlush global.asa event handler, and $Response->{BinaryRef}
member which is a scalar reference to the content about to be flushed.
See ./site/eg/global.asa for example usage, used in this case to
insert font tags on the fly into the output.
+Highlighting and linking of line error when Debug is set to 2 or -2.
--removed fork() call from flock() backup routine? How did
that get in there? Oh right, testing on Win32. :(
Very painful lesson this one, sorry to whom it may concern.
+$Application->SessionCount support turned off by default
must enable with SessionCount config option. This feature
puts an unnecessary load on busy sites, so not default
behavior now.
++XMLSubsMatch setting that allows the developer to
create custom tags XML style that execute perl subroutines.
See ./site/eg/xml_subs.asp
+MailFrom config option that defaults the From: field for
mails sent via the Mail* configs and $Server->Mail()
+$Server->Mail(\%mail, %smtp_args) API extension
+MailErrorsTo & MailAlertTo now can take comma
separated email addresses for multiple recipients.
-tracking of subroutines defined in scripts and includes so
StatINC won't undefine them when reloading the GlobalPackage,
and so an warning will be logged when another script redefines
the same subroutine name, which has been the bane of at least
a few developers.
-Loader() will now recompile dynamic includes that
have changed, even if main including script has not.
This is useful if you are using Loader() in a
PerlRestartHandler, for reloading scripts when
gracefully restarting apache.
-Apache::ASP used to always set the status to 200 by
default explicitly with $r->status(). This would be
a problem if a script was being used to as a 404
ErrorDocument, because it would always return a 200 error
code, which is just wrong. $Response->{Status} is now
undefined by default and will only be used if set by
the developer.
Note that by default a script will still return a 200 status,
but $Response->{Status} may be used to override this behavior.
+$Server->Config($setting) API extension that allows developer
to access config settings like Global, StateDir, etc., and is a
wrapper around Apache->dir_config($setting)
+Loader() will log the number of scripts
recompiled and the number of scripts checked, instead
of just the number of scripts recompiled, which is
misleading as it reports 0 for child httpds after
a parent fork that used Loader() upon startup.
-Apache::ASP->Loader() would have a bad error if it didn't load
any scripts when given a directory, prints "loaded 0 scripts" now
=item $VERSION = 0.18; $DATE="02/03/2000";
+Documented SessionQuery* & $Server->URL() and
cleaned up formatting some, as well as redoing
( run in 1.267 second using v1.01-cache-2.11-cpan-df04353d9ac )