Apache-ASP
view release on metacpan or search on metacpan
site/config.html view on Meta::CPAN
your web sites are hosted on the same machine and can share the same
StateDir configuration, and you want to shared the $Session data
across web sites. Whatever this is set to, that will add a
<font face="courier new" size=3><pre>
; domain=$CookieDomain
</pre></font>part to the Set-Cookie: header set for the session-id cookie.
<font face="courier new" size=3><pre>
PerlSetVar CookieDomain .your.global.domain
</pre></font>
<p>
<a name=SessionTimeo21fc354e></a>
<font face=verdana><font class=title size=-1 color=#555555><b>SessionTimeout</b></font>
<font face="courier new" size=3><pre>
</pre></font>Default 20 minutes, when a user's session has been inactive for this
period of time, the Session_OnEnd event is run, if defined, for
that session, and the contents of that session are destroyed.
<font face="courier new" size=3><pre>
PerlSetVar SessionTimeout 20
</pre></font>
<p>
<a name=SecureSessio77114c01></a>
<font face=verdana><font class=title size=-1 color=#555555><b>SecureSession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0. Sets the secure tag for the session cookie, so that the cookie
will only be transmitted by the browser under https transmissions.
<font face="courier new" size=3><pre>
PerlSetVar SecureSession 1
</pre></font>
<p>
<a name=HTTPOnlySess63d4d37d></a>
<font face=verdana><font class=title size=-1 color=#555555><b>HTTPOnlySession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0. Sets HttpOnly flag to session cookie to mitigate XSS attacks.
Supported by most modern browsers, it only allows access to the
session cookie by the server (ie NOT Javascript)
<font face="courier new" size=3><pre>
PerlSetVar HTTPOnlySession 1
</pre></font>
<p>
<a name=ParanoidSess9085f1d5></a>
<font face=verdana><font class=title size=-1 color=#555555><b>ParanoidSession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0. When true, stores the user-agent header of the browser
that creates the session and validates this against the session cookie presented.
If this check fails, the session is killed, with the rationale that
there is a hacking attempt underway.
<font face="courier new" size=3><pre>
</pre></font>This config option was implemented to be a smooth upgrade, as
you can turn it off and on, without disrupting current sessions.
Sessions must be created with this turned on for the security to take effect.
<font face="courier new" size=3><pre>
</pre></font>This config option is to help prevent a brute force cookie search from
being successful. The number of possible cookies is huge, 2^128, thus making such
a hacking attempt VERY unlikely. However, on the off chance that such
an attack is successful, the hacker must also present identical
browser headers to authenticate the session, or the session will be
destroyed. Thus the User-Agent acts as a backup to the real session id.
The IP address of the browser cannot be used, since because of proxies,
IP addresses may change between requests during a session.
<font face="courier new" size=3><pre>
</pre></font>There are a few browsers that will not present a User-Agent header.
These browsers are considered to be browsers of type "Unknown", and
this method works the same way for them.
<font face="courier new" size=3><pre>
</pre></font>Most people agree that this level of security is unnecessary, thus
it is titled paranoid :)
<font face="courier new" size=3><pre>
PerlSetVar ParanoidSession 0
</pre></font>
<p>
<a name=SessionSeria0633b2a7></a>
<font face=verdana><font class=title size=-1 color=#555555><b>SessionSerialize</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if true, locks $Session for duration of script, which
serializes requests to the $Session object. Only one script at
a time may run, per user $Session, with sessions allowed.
<font face="courier new" size=3><pre>
</pre></font>Serialized requests to the session object is the Microsoft ASP way,
but is dangerous in a production environment, where there is risk
of long-running or run-away processes. If these things happen,
a session may be locked for an indefinite period of time. A user
STOP button should safely quit the session however.
<font face="courier new" size=3><pre>
PerlSetVar SessionSerialize 0
</pre></font>
<p>
<a name=SessionCount></a>
<font face=verdana><font class=title size=-1 color=#555555><b>SessionCount</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if true enables the $Application->SessionCount API
which returns how many sessions are currently active in
the application. This config was created
because there is a performance hit associated with this
count tracking, so it is disabled by default.
<font face="courier new" size=3><pre>
PerlSetVar SessionCount 1
</pre></font>
<p>
<a name=Cookieless%20S21cbf4f4></a>
<font face=verdana><font class=title size=+0 color=#555555><b>Cookieless Sessions</b></font>
</font>
<p>
<a name=SessionQuery6920bb61></a>
<font face=verdana><font class=title size=-1 color=#555555><b>SessionQueryParse</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if true, will automatically parse the $Session
session id into the query string of each local URL found in the
$Response buffer. For this setting to work therefore,
buffering must be enabled. This parsing will only occur
when a session cookie has not been sent by a browser, so the
first script of a session enabled site, and scripts viewed by
web browsers that have cookies disabled will trigger this behavior.
<font face="courier new" size=3><pre>
site/config.html view on Meta::CPAN
own risk.
<font face="courier new" size=3><pre>
PerlSetVar CompressGzip 1
</pre></font>
<p>
<a name=FormFill></a>
<font face=verdana><font class=title size=-1 color=#555555><b>FormFill</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if true will auto fill HTML forms with values
from $Request->Form(). This functionality is provided
by use of HTML::FillInForm. For more information please
see "perldoc HTML::FillInForm", and the
example <a href=eg/formfill.asp>./site/eg/formfill.asp</a>.
<font face="courier new" size=3><pre>
</pre></font>This feature can be enabled on a per form basis at runtime
with $Response->{FormFill} = 1
<font face="courier new" size=3><pre>
PerlSetVar FormFill 1
</pre></font>
<p>
<a name=TimeHiRes></a>
<font face=verdana><font class=title size=-1 color=#555555><b>TimeHiRes</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if set and Time::HiRes is installed, will do
sub second timing of the time it takes Apache::ASP to process
a request. This will not include the time spent in the
session manager, nor modperl or Apache, and is only a
rough approximation at best.
<font face="courier new" size=3><pre>
</pre></font>If Debug is set also, you will get a comment in your
HTML output that indicates the time it took to process
that script.
<font face="courier new" size=3><pre>
</pre></font>If system debugging is set with Debug -1 or -2, you will
also get this time in the Apache error log with the
other system messages.</font>
<p>
<a name=Mail%20Adminis1a4d2b59></a>
<font face=verdana><font class=title size=+0 color=#555555><b>Mail Administration</b></font>
<font face="courier new" size=3><pre>
</pre></font>Apache::ASP has some powerful administrative email
extensions that let you sleep at night, knowing full well
that if an error occurs at the web site, you will know
about it immediately. With these features already enabled,
it was also easy to provide the $Server->Mail(\%mail) API
extension which you can read up about in the <a href=objects.html><font size=-1 face=verdana><b>OBJECTS</b></font></a> section.</font>
<p>
<a name=MailHost></a>
<font face=verdana><font class=title size=-1 color=#555555><b>MailHost</b></font>
<font face="courier new" size=3><pre>
</pre></font>The mail host is the smtp server that the below Mail* config directives
will use when sending their emails. By default Net::SMTP uses
smtp mail hosts configured in Net::Config, which is set up at
install time, but this setting can be used to override this config.
<font face="courier new" size=3><pre>
</pre></font>The mail hosts specified in the Net::Config file will be used as
backup smtp servers to the MailHost specified here, should this
primary server not be working.
<font face="courier new" size=3><pre>
PerlSetVar MailHost smtp.yourdomain.com.foobar
</pre></font>
<p>
<a name=MailFrom></a>
<font face=verdana><font class=title size=-1 color=#555555><b>MailFrom</b></font>
<font face="courier new" size=3><pre>
</pre></font>Default NONE, set this to specify the default mail address placed
in the From: mail header for the $Server->Mail() API extension,
as well as MailErrorsTo and MailAlertTo.
<font face="courier new" size=3><pre>
PerlSetVar MailFrom <b>youremail@yourdomain.com.foobar</b>
</pre></font>
<p>
<a name=MailErrorsTo></a>
<font face=verdana><font class=title size=-1 color=#555555><b>MailErrorsTo</b></font>
<font face="courier new" size=3><pre>
</pre></font>No default, if set, ASP server errors, error code 500, that result
while compiling or running scripts under Apache::ASP will automatically
be emailed to the email address set for this config. This allows
an administrator to have a rapid response to user generated server
errors resulting from bugs in production ASP scripts. Other errors, such
as 404 not found will be handled by Apache directly.
<font face="courier new" size=3><pre>
</pre></font>An easy way to see this config in action is to have an ASP script which calls
a die(), which generates an internal ASP 500 server error.
<font face="courier new" size=3><pre>
</pre></font>The Debug config of value 2 and this setting are mutually exclusive,
as Debug 2 is a development setting where errors are displayed in the browser,
and MailErrorsTo is a production setting so that errors are silently logged
and sent via email to the web admin.
<font face="courier new" size=3><pre>
PerlSetVar MailErrorsTo <b>youremail@yourdomain.com</b>
</pre></font>
<p>
<a name=MailAlertTo></a>
<font face=verdana><font class=title size=-1 color=#555555><b>MailAlertTo</b></font>
<font face="courier new" size=3><pre>
</pre></font>The address configured will have an email sent on any ASP server error 500,
and the message will be short enough to fit on a text based pager. This
config setting would be used to give an administrator a heads up that a www
server error occurred, as opposed to MailErrorsTo would be used for debugging
that server error.
<font face="courier new" size=3><pre>
</pre></font>This config does not work when Debug 2 is set, as it is a setting for
use in production only, where Debug 2 is for development use.
<font face="courier new" size=3><pre>
PerlSetVar MailAlertTo <b>youremail@yourdomain.com</b>
</pre></font>
<p>
<a name=MailAlertPer096b67a8></a>
<font face=verdana><font class=title size=-1 color=#555555><b>MailAlertPeriod</b></font>
<font face="courier new" size=3><pre>
</pre></font>Default 20 minutes, this config specifies the time in minutes over
which there may be only one alert email generated by MailAlertTo.
( run in 0.896 second using v1.01-cache-2.11-cpan-39bf76dae61 )