view release on metacpan or  search on metacpan

ASP.pm  view on Meta::CPAN

This configuration setting may be changed in production
as the state database's serializer type is stored
in the internal state manager which will always use 
Data::Dumper & SDBM_File to store data.

  PerlSetVar StateSerializer Data::Dumper

=head2 Sessions

=item CookiePath

URL root that client responds to by sending the session cookie.
If your asp application falls under the server url "/asp", 
then you would set this variable to /asp.  This then allows
you to run different applications on the same server, with
different user sessions for each application.

  PerlSetVar CookiePath /   

=item CookieDomain

Default 0, this NON-PORTABLE configuration will allow sessions to span
multiple web sites that match the same domain root.  This is useful if
your web sites are hosted on the same machine and can share the same
StateDir configuration, and you want to shared the $Session data 
across web sites.  Whatever this is set to, that will add a 

  ; domain=$CookieDomain

part to the Set-Cookie: header set for the session-id cookie.

  PerlSetVar CookieDomain .your.global.domain

=item SessionTimeout

Default 20 minutes, when a user's session has been inactive for this
period of time, the Session_OnEnd event is run, if defined, for 
that session, and the contents of that session are destroyed.

  PerlSetVar SessionTimeout 20 

=item SecureSession

default 0.  Sets the secure tag for the session cookie, so that the cookie
will only be transmitted by the browser under https transmissions.

  PerlSetVar SecureSession 1

=item HTTPOnlySession

default 0. Sets HttpOnly flag to session cookie to mitigate XSS attacks.
Supported by most modern browsers, it only allows access to the
session cookie by the server (ie NOT Javascript)

  PerlSetVar HTTPOnlySession 1

=item ParanoidSession

default 0.  When true, stores the user-agent header of the browser 
that creates the session and validates this against the session cookie presented.
If this check fails, the session is killed, with the rationale that 
there is a hacking attempt underway.

This config option was implemented to be a smooth upgrade, as
you can turn it off and on, without disrupting current sessions.  
Sessions must be created with this turned on for the security to take effect.

This config option is to help prevent a brute force cookie search from 
being successful. The number of possible cookies is huge, 2^128, thus making such
a hacking attempt VERY unlikely.  However, on the off chance that such
an attack is successful, the hacker must also present identical
browser headers to authenticate the session, or the session will be
destroyed.  Thus the User-Agent acts as a backup to the real session id.
The IP address of the browser cannot be used, since because of proxies,
IP addresses may change between requests during a session.

There are a few browsers that will not present a User-Agent header.
These browsers are considered to be browsers of type "Unknown", and 
this method works the same way for them.

Most people agree that this level of security is unnecessary, thus
it is titled paranoid :)

  PerlSetVar ParanoidSession 0

=item SessionSerialize

default 0, if true, locks $Session for duration of script, which
serializes requests to the $Session object.  Only one script at
a time may run, per user $Session, with sessions allowed.

Serialized requests to the session object is the Microsoft ASP way, 
but is dangerous in a production environment, where there is risk
of long-running or run-away processes.  If these things happen,
a session may be locked for an indefinite period of time.  A user
STOP button should safely quit the session however.

  PerlSetVar SessionSerialize 0

=item SessionCount

default 0, if true enables the $Application->SessionCount API
which returns how many sessions are currently active in 
the application.  This config was created 
because there is a performance hit associated with this
count tracking, so it is disabled by default.

  PerlSetVar SessionCount 1

=head2 Cookieless Sessions

=item SessionQueryParse

default 0, if true, will automatically parse the $Session
session id into the query string of each local URL found in the 
$Response buffer.  For this setting to work therefore, 
buffering must be enabled.  This parsing will only occur
when a session cookie has not been sent by a browser, so the 
first script of a session enabled site, and scripts viewed by 
web browsers that have cookies disabled will trigger this behavior.

ASP.pm  view on Meta::CPAN

   embedded in the HTML, instead of & for proper HTML generation.
   Thanks to Peter Galbavy for pointing out and Thanos Chatziathanassiou
   for suggesting the fix.

 - $Response->{ContentType} set to text/html for developer error reporting,
   in case this was set to something else before the error occured.
   Thanks to Philip Mak for reporting.

 - Couple of minor bug fixes under PerlWarn use, thanks Peter Galbavy
   for reporting.

 + Added automatic load of "use Apache2" for compat with mod_perl2 
   request objects when Apache::ASP is loaded via "PerlModule Apache::ASP"
   Thanks to Richard Curtis for reporting bug & subsequent testing.

 - When GlobalPackage config changes, but global.asa has not, global.asa
   will be recompiled anyway to update the GlobalPackage correctly.
   Changing GlobalPackage before would cause errors if global.asa was
   already compiled.

 ++ For ANY PerlSetVar type config, OFF/Off/off will be assumed 
    to have value of 0 for that setting.  Before, only a couple settings
    had this semantics, but they all do now for consistency.

 - Fix for InodeNames config on OpenBSD, or any OS that might have
   a device # of 0 for the file being stat()'d, thanks to Peter Galbavy
   for bug report.

 ++ Total XSLT speedups, 5-10% on large XSLT, 10-15% on small XSLT

 + bypass meta data check like expires for XSLT Cache() API use
   because XSLT tranformations don't expire, saves hit to cache dbm
   for meta data

 + use of direct Apache::ASP::State methods like FETCH/STORE
   in Cache() layer so we don't have to go through slower tied interface.
   This will speed up XSLT & and include output caching mostly.

 + minor optimizations for speed & memory usage

=item $VERSION = 2.49; $DATE="11/10/2002"

 -- bug introduced in 2.47 cached script compilations for executing
    scripts ( not includes ) of the same name in different directories
    for the same Global/GlobalPackage config for an application.
    Fix was to remove optimization that caused problem, and
    created test case t/same_name.t to cover bug.

=item $VERSION = 2.47; $DATE="11/06/2002"

 ++ Runtime speed enhancements for 15-20% improvement including:
   + INTERNAL API ReadFile() now returns scalar ref as memory optimization
   + cache InodeNames config setting in ASP object now for common lookups
   + removed CompileChecksum() INTERNAL API, since it was an unnecesary
     method decomposition along a common code path
   + removed IsChanged() INTERNAL API since compiling of scripts
     is now handled by CompileInclude() which does this functionality already
   + removed unnecessary decomp of IncludesChanged() INTERNAL API, which was along
     critical code path
   + do not call INTERNAL SearchDirs() API when compiling base script
     since we have already validated its path earlier
   + Use stat(_) type shortcut for stat() & -X calls where possible
   + Moved @INC initilization up to handler() & consolidated with $INCDir lib
   + removed useless Apache::ASP::Collection::DESTROY
   + removed useless Apache::ASP::Server::DESTROY
   + removed useless Apache::ASP::GlobalASA::DESTROY
   + removed useless Apache::ASP::Response::DESTROY

 - Default path for $Response->{Cookies} was from CookiePath
   config, but this was incorrect as CookiePath config is only
   for $Session cookie, so now path for $Response->{Cookies}
   defaults to /

 - Fixed bug where global.asa events would get undefined with
   StatINC and GlobalPackage set when the GlobalPackage library
   changed & get reloaded.

 (d) Documented long time config NoCache.

 -- Fixed use with Apache::Filter, capable as both source
    and destination filter.  Added ./site/eg/filter.filter example
    to demonstrate these abilities.

 + Use $r->err_headers_out->add Apache::Table API for cookies 
   now instead of $r->cgi_header_out.  Added t/cookies.t test to 
   cover new code path as well as general $Response->Cookies API.
   Also make cookies headers sorted by cookie and dictionary key 
   while building headers for repeatable behavior, this latter was 
   to facilitate testing.

 - fixed $Server->Mail error_log output when failing to connect
   to SMTP server.

 + added tests to cover UniquePackages & NoCache configs since this
   config logic was updated

 + made deprecated warnings for use of certain $Response->Member
   calls more loudly write to error_log, so I can remove the AUTOLOAD
   for Response one day

 - Probably fixed behavior in CgiHeaders, at least under perl 5.8.0, and
   added t/cgi_headers.t to cover this config.

 + removed $Apache::ASP::CompressGzip setting ability, used to possibly
   set CompressGzip in the module before, not documented anyway

 + removed $Apache::ASP::Filter setting ability to set Filter globally, 
   not documented anyway

 + removed old work around for setting ServerStarting to 0
   at runtime, which was bad for Apache::DBI on win32 a long
   time ago:

    $Apache::ServerStarting and $Apache::ServerStarting = 0;

   If this code is still needed in Apache::ASP->handler() let
   me know.

 + check to make sure data in internal database is a HASH ref
   before using it for session garbage collection.  This is to
   help prevent against internal database corruption in a