Apache-ASP
view release on metacpan or search on metacpan
site/config.html view on Meta::CPAN
<td valign=top >
<font face="lucida console" size=-1>
<a href=#InodeNames>InodeNames</a>
</font>
</td>
</tr>
<tr>
<td valign=top bgcolor=#005196>
<font face="lucida console" size=-1>
<font color=white><b><a href=#Sessions><font color=white>Sessions</font></a></b></font>
</font>
</td>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#RequestParam25a784ba>RequestParams</a>
</font>
</td>
</tr>
<tr>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#CookiePath>CookiePath</a>
</font>
</td>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#RequestBinarc4419e4b>RequestBinaryRead</a>
</font>
</td>
</tr>
<tr>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#CookieDomain>CookieDomain</a>
</font>
</td>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#StatINC>StatINC</a>
</font>
</td>
</tr>
<tr>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#SessionTimeo21fc354e>SessionTimeout</a>
</font>
</td>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#StatINCMatch>StatINCMatch</a>
</font>
</td>
</tr>
<tr>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#SecureSessio77114c01>SecureSession</a>
</font>
</td>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#StatScripts>StatScripts</a>
</font>
</td>
</tr>
<tr>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#HTTPOnlySess63d4d37d>HTTPOnlySession</a>
</font>
</td>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#SoftRedirect>SoftRedirect</a>
</font>
</td>
</tr>
<tr>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#ParanoidSess9085f1d5>ParanoidSession</a>
</font>
</td>
<td valign=top >
<font face="lucida console" size=-1>
<a href=#Filter>Filter</a>
</font>
</td>
</tr>
<tr>
site/config.html view on Meta::CPAN
be created. Use this for a performance increase. Please note that
this setting takes precedence over the AllowSessionState and
AllowApplicationState settings.
<font face="courier new" size=3><pre>
PerlSetVar NoState 0
</pre></font>
<p>
<a name=AllowSession471aaf40></a>
<font face=verdana><font class=title size=-1 color=#555555><b>AllowSessionState</b></font>
<font face="courier new" size=3><pre>
</pre></font>Set to 0 for no session tracking, 1 by default
If Session tracking is turned off, performance improves,
but the $Session object is inaccessible.
<font face="courier new" size=3><pre>
PerlSetVar AllowSessionState 1
</pre></font>Note that if you want to dissallow session creation
for certain non web browser user agents, like search engine
spiders, you can use an init handler like:
<font face="courier new" size=3><pre>
PerlInitHandler "sub { $_[0]->dir_config('AllowSessionState', 0) }"
</pre></font>
<p>
<a name=AllowApplica55cb396b></a>
<font face=verdana><font class=title size=-1 color=#555555><b>AllowApplicationState</b></font>
<font face="courier new" size=3><pre>
</pre></font>Default 1. If you want to leave $Application undefined, then set this
to 0, for a performance increase of around 2-3%. Allowing use of
$Application is less expensive than $Session, as there is more
work for the StateManager associated with $Session garbage collection
so this parameter should be only used for extreme tuning.
<font face="courier new" size=3><pre>
PerlSetVar AllowApplicationState 1
</pre></font>
<p>
<a name=StateDir></a>
<font face=verdana><font class=title size=-1 color=#555555><b>StateDir</b></font>
<font face="courier new" size=3><pre>
</pre></font>default $Global/.state. State files for ASP application go to
this directory. Where the state files go is the most important
determinant in what makes a unique ASP application. Different
configs pointing to the same StateDir are part of the same
ASP application.
<font face="courier new" size=3><pre>
</pre></font>The default has not changed since implementing this config directive.
The reason for this config option is to allow operating systems with caching
file systems like Solaris to specify a state directory separately
from the Global directory, which contains more permanent files.
This way one may point StateDir to /tmp/myaspapp, and make one's ASP
application scream with speed.
<font face="courier new" size=3><pre>
PerlSetVar StateDir ./.state
</pre></font>
<p>
<a name=StateManager></a>
<font face=verdana><font class=title size=-1 color=#555555><b>StateManager</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 10, this number specifies the numbers of times per SessionTimeout
that timed out sessions are garbage collected. The bigger the number,
the slower your system, but the more precise Session_OnEnd's will be
run from global.asa, which occur when a timed out session is cleaned up,
and the better able to withstand Session guessing hacking attempts.
The lower the number, the faster a normal system will run.
<font face="courier new" size=3><pre>
</pre></font>The defaults of 20 minutes for SessionTimeout and 10 times for
StateManager, has dead Sessions being cleaned up every 2 minutes.
<font face="courier new" size=3><pre>
PerlSetVar StateManager 10
</pre></font>
<p>
<a name=StateDB></a>
<font face=verdana><font class=title size=-1 color=#555555><b>StateDB</b></font>
<font face="courier new" size=3><pre>
</pre></font>default SDBM_File, this is the internal database used for state
objects like $Application and $Session. Because an SDBM_File %hash
has a limit on the size of a record key+value pair, usually 1024 bytes,
you may want to use another tied database like DB_File or
MLDBM::Sync::SDBM_File.
<font face="courier new" size=3><pre>
</pre></font>With lightweight $Session and $Application use, you can get
away with SDBM_File, but if you load it up with complex data like
<font face="courier new" size=3><pre> $Session{key} = { # very large complex object }
</pre></font>you might max out the 1024 limit.
<font face="courier new" size=3><pre>
</pre></font>Currently StateDB can be: SDBM_File, MLDBM::Sync::SDBM_File,
DB_File, and GDBM_File. Please let me know if you would like to
add any more to this list.
<font face="courier new" size=3><pre>
</pre></font>As of version .18, you may change this setting in a live production
environment, and new state databases created will be of this format.
With a prior version if you switch to a new StateDB, you would want to
delete the old StateDir, as there will likely be incompatibilities between
the different database formats, including the way garbage collection
is handled.
<font face="courier new" size=3><pre>
PerlSetVar StateDB SDBM_File
</pre></font>
<p>
<a name=StateCache></a>
<font face=verdana><font class=title size=-1 color=#555555><b>StateCache</b></font>
<font face="courier new" size=3><pre>
</pre></font>Deprecated as of 2.23. There is no equivalent config for
the functionality this represented from that version on.
The 2.23 release represented a significant rewrite
of the state management, moving to MLDBM::Sync for its
subsystem.</font>
<p>
<a name=StateSeriali106736b1></a>
<font face=verdana><font class=title size=-1 color=#555555><b>StateSerializer</b></font>
<font face="courier new" size=3><pre>
</pre></font>default Data::Dumper, you may set this to Storable for
faster serialization and storage of data into state objects.
This is particularly useful when storing large objects in
$Session and $Application, as the Storable.pm module has a faster
implementation of freezing and thawing data from and to
perl structures. Note that if you are storing this much
data in your state databases, you may want to use
DB_File since it does not have the default 1024 byte limit
that SDBM_File has on key/value lengths.
<font face="courier new" size=3><pre>
</pre></font>This configuration setting may be changed in production
as the state database's serializer type is stored
in the internal state manager which will always use
Data::Dumper & SDBM_File to store data.
<font face="courier new" size=3><pre>
PerlSetVar StateSerializer Data::Dumper
</pre></font>
<p>
<a name=Sessions></a>
<font face=verdana><font class=title size=+0 color=#555555><b>Sessions</b></font>
</font>
<p>
<a name=CookiePath></a>
<font face=verdana><font class=title size=-1 color=#555555><b>CookiePath</b></font>
<font face="courier new" size=3><pre>
</pre></font>URL root that client responds to by sending the session cookie.
If your asp application falls under the server url "/asp",
then you would set this variable to /asp. This then allows
you to run different applications on the same server, with
different user sessions for each application.
<font face="courier new" size=3><pre>
PerlSetVar CookiePath /
</pre></font>
<p>
<a name=CookieDomain></a>
<font face=verdana><font class=title size=-1 color=#555555><b>CookieDomain</b></font>
<font face="courier new" size=3><pre>
</pre></font>Default 0, this NON-PORTABLE configuration will allow sessions to span
multiple web sites that match the same domain root. This is useful if
your web sites are hosted on the same machine and can share the same
StateDir configuration, and you want to shared the $Session data
across web sites. Whatever this is set to, that will add a
<font face="courier new" size=3><pre>
; domain=$CookieDomain
</pre></font>part to the Set-Cookie: header set for the session-id cookie.
<font face="courier new" size=3><pre>
PerlSetVar CookieDomain .your.global.domain
</pre></font>
<p>
<a name=SessionTimeo21fc354e></a>
<font face=verdana><font class=title size=-1 color=#555555><b>SessionTimeout</b></font>
<font face="courier new" size=3><pre>
</pre></font>Default 20 minutes, when a user's session has been inactive for this
period of time, the Session_OnEnd event is run, if defined, for
that session, and the contents of that session are destroyed.
<font face="courier new" size=3><pre>
PerlSetVar SessionTimeout 20
</pre></font>
<p>
<a name=SecureSessio77114c01></a>
<font face=verdana><font class=title size=-1 color=#555555><b>SecureSession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0. Sets the secure tag for the session cookie, so that the cookie
will only be transmitted by the browser under https transmissions.
<font face="courier new" size=3><pre>
PerlSetVar SecureSession 1
</pre></font>
<p>
<a name=HTTPOnlySess63d4d37d></a>
<font face=verdana><font class=title size=-1 color=#555555><b>HTTPOnlySession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0. Sets HttpOnly flag to session cookie to mitigate XSS attacks.
Supported by most modern browsers, it only allows access to the
session cookie by the server (ie NOT Javascript)
<font face="courier new" size=3><pre>
PerlSetVar HTTPOnlySession 1
</pre></font>
<p>
<a name=ParanoidSess9085f1d5></a>
<font face=verdana><font class=title size=-1 color=#555555><b>ParanoidSession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0. When true, stores the user-agent header of the browser
that creates the session and validates this against the session cookie presented.
If this check fails, the session is killed, with the rationale that
there is a hacking attempt underway.
<font face="courier new" size=3><pre>
</pre></font>This config option was implemented to be a smooth upgrade, as
you can turn it off and on, without disrupting current sessions.
Sessions must be created with this turned on for the security to take effect.
<font face="courier new" size=3><pre>
</pre></font>This config option is to help prevent a brute force cookie search from
being successful. The number of possible cookies is huge, 2^128, thus making such
a hacking attempt VERY unlikely. However, on the off chance that such
an attack is successful, the hacker must also present identical
browser headers to authenticate the session, or the session will be
destroyed. Thus the User-Agent acts as a backup to the real session id.
The IP address of the browser cannot be used, since because of proxies,
IP addresses may change between requests during a session.
<font face="courier new" size=3><pre>
</pre></font>There are a few browsers that will not present a User-Agent header.
These browsers are considered to be browsers of type "Unknown", and
this method works the same way for them.
<font face="courier new" size=3><pre>
</pre></font>Most people agree that this level of security is unnecessary, thus
it is titled paranoid :)
<font face="courier new" size=3><pre>
PerlSetVar ParanoidSession 0
</pre></font>
<p>
<a name=SessionSeria0633b2a7></a>
<font face=verdana><font class=title size=-1 color=#555555><b>SessionSerialize</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if true, locks $Session for duration of script, which
( run in 1.221 second using v1.01-cache-2.11-cpan-39bf76dae61 )