Apache-ASP
9 results

 view release on metacpan or  search on metacpan

site/config.html  view on Meta::CPAN 

</pre></font>default 0.  Sets the secure tag for the session cookie, so that the cookie
will only be transmitted by the browser under https transmissions.
<font face="courier new" size=3><pre>
  PerlSetVar SecureSession 1
</pre></font>
	
	<p>
	<a name=HTTPOnlySess63d4d37d></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>HTTPOnlySession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0. Sets HttpOnly flag to session cookie to mitigate XSS attacks.
Supported by most modern browsers, it only allows access to the
session cookie by the server (ie NOT Javascript)
<font face="courier new" size=3><pre>
  PerlSetVar HTTPOnlySession 1
</pre></font>
	
	<p>
	<a name=ParanoidSess9085f1d5></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>ParanoidSession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0.  When true, stores the user-agent header of the browser 
that creates the session and validates this against the session cookie presented.
If this check fails, the session is killed, with the rationale that 
there is a hacking attempt underway.
<font face="courier new" size=3><pre>
</pre></font>This config option was implemented to be a smooth upgrade, as
you can turn it off and on, without disrupting current sessions.  
Sessions must be created with this turned on for the security to take effect.
<font face="courier new" size=3><pre>
</pre></font>This config option is to help prevent a brute force cookie search from 
being successful. The number of possible cookies is huge, 2^128, thus making such
a hacking attempt VERY unlikely.  However, on the off chance that such
an attack is successful, the hacker must also present identical
browser headers to authenticate the session, or the session will be
destroyed.  Thus the User-Agent acts as a backup to the real session id.
The IP address of the browser cannot be used, since because of proxies,
IP addresses may change between requests during a session.
<font face="courier new" size=3><pre>
</pre></font>There are a few browsers that will not present a User-Agent header.
These browsers are considered to be browsers of type &quot;Unknown&quot;, and 
this method works the same way for them.
<font face="courier new" size=3><pre>
</pre></font>Most people agree that this level of security is unnecessary, thus
it is titled paranoid :)
<font face="courier new" size=3><pre>
  PerlSetVar ParanoidSession 0
</pre></font>
	
	<p>
	<a name=SessionSeria0633b2a7></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>SessionSerialize</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if true, locks $Session for duration of script, which
serializes requests to the $Session object.  Only one script at
a time may run, per user $Session, with sessions allowed.
<font face="courier new" size=3><pre>
</pre></font>Serialized requests to the session object is the Microsoft ASP way, 
but is dangerous in a production environment, where there is risk
of long-running or run-away processes.  If these things happen,
a session may be locked for an indefinite period of time.  A user
STOP button should safely quit the session however.
<font face="courier new" size=3><pre>
  PerlSetVar SessionSerialize 0
</pre></font>
	
	<p>
	<a name=SessionCount></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>SessionCount</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if true enables the $Application-&gt;SessionCount API
which returns how many sessions are currently active in 
the application.  This config was created 
because there is a performance hit associated with this
count tracking, so it is disabled by default.
<font face="courier new" size=3><pre>
  PerlSetVar SessionCount 1
</pre></font>
	
	<p>
	<a name=Cookieless%20S21cbf4f4></a>
	<font face=verdana><font class=title size=+0 color=#555555><b>Cookieless Sessions</b></font>
</font>
	
	<p>
	<a name=SessionQuery6920bb61></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>SessionQueryParse</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if true, will automatically parse the $Session
session id into the query string of each local URL found in the 
$Response buffer.  For this setting to work therefore, 
buffering must be enabled.  This parsing will only occur
when a session cookie has not been sent by a browser, so the 
first script of a session enabled site, and scripts viewed by 
web browsers that have cookies disabled will trigger this behavior.
<font face="courier new" size=3><pre>
</pre></font>Although this runtime parsing method is computationally 
expensive, this cost should be amortized across most users
that will not need this URL parsing.  This is a lazy programmer&#39;s
dream.  For something more efficient, look at the SessionQuery
setting.  For more information about this solution, please 
read the <a href=sessions.html><font size=-1 face=verdana><b>SESSIONS</b></font></a> section.
<font face="courier new" size=3><pre>
  PerlSetVar SessionQueryParse 0
</pre></font>
	
	<p>
	<a name=SessionQueryd88d64b8></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>SessionQueryParseMatch</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, set to a regexp pattern that matches all URLs that you 
want to have SessionQueryParse parse in session ids.  By default
SessionQueryParse only modifies local URLs, but if you name
your URLs of your site with absolute URLs like <tt>http://localhost</tt>
then you will need to use this setting.  So to match 
<tt>http://localhost</tt> URLs, you might set this pattern to 
^<tt>http://localhost.</tt>  Note that by setting this config,
you are also setting SessionQueryParse.
<font face="courier new" size=3><pre>
  PerlSetVar SessionQueryParseMatch ^https?://localhost
</pre></font>



( run in 0.706 second using v1.01-cache-2.11-cpan-39bf76dae61 )