Apache-ASP
4 results

 view release on metacpan or  search on metacpan

site/config.html  view on Meta::CPAN 

then you would set this variable to /asp.  This then allows
you to run different applications on the same server, with
different user sessions for each application.
<font face="courier new" size=3><pre>
  PerlSetVar CookiePath /
</pre></font>
	
	<p>
	<a name=CookieDomain></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>CookieDomain</b></font>
<font face="courier new" size=3><pre>
</pre></font>Default 0, this NON-PORTABLE configuration will allow sessions to span
multiple web sites that match the same domain root.  This is useful if
your web sites are hosted on the same machine and can share the same
StateDir configuration, and you want to shared the $Session data 
across web sites.  Whatever this is set to, that will add a 
<font face="courier new" size=3><pre>
  ; domain=$CookieDomain
</pre></font>part to the Set-Cookie: header set for the session-id cookie.
<font face="courier new" size=3><pre>
  PerlSetVar CookieDomain .your.global.domain
</pre></font>
	
	<p>
	<a name=SessionTimeo21fc354e></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>SessionTimeout</b></font>
<font face="courier new" size=3><pre>
</pre></font>Default 20 minutes, when a user&#39;s session has been inactive for this
period of time, the Session_OnEnd event is run, if defined, for 
that session, and the contents of that session are destroyed.
<font face="courier new" size=3><pre>
  PerlSetVar SessionTimeout 20
</pre></font>
	
	<p>
	<a name=SecureSessio77114c01></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>SecureSession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0.  Sets the secure tag for the session cookie, so that the cookie
will only be transmitted by the browser under https transmissions.
<font face="courier new" size=3><pre>
  PerlSetVar SecureSession 1
</pre></font>
	
	<p>
	<a name=HTTPOnlySess63d4d37d></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>HTTPOnlySession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0. Sets HttpOnly flag to session cookie to mitigate XSS attacks.
Supported by most modern browsers, it only allows access to the
session cookie by the server (ie NOT Javascript)
<font face="courier new" size=3><pre>
  PerlSetVar HTTPOnlySession 1
</pre></font>
	
	<p>
	<a name=ParanoidSess9085f1d5></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>ParanoidSession</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0.  When true, stores the user-agent header of the browser 
that creates the session and validates this against the session cookie presented.
If this check fails, the session is killed, with the rationale that 
there is a hacking attempt underway.
<font face="courier new" size=3><pre>
</pre></font>This config option was implemented to be a smooth upgrade, as
you can turn it off and on, without disrupting current sessions.  
Sessions must be created with this turned on for the security to take effect.
<font face="courier new" size=3><pre>
</pre></font>This config option is to help prevent a brute force cookie search from 
being successful. The number of possible cookies is huge, 2^128, thus making such
a hacking attempt VERY unlikely.  However, on the off chance that such
an attack is successful, the hacker must also present identical
browser headers to authenticate the session, or the session will be
destroyed.  Thus the User-Agent acts as a backup to the real session id.
The IP address of the browser cannot be used, since because of proxies,
IP addresses may change between requests during a session.
<font face="courier new" size=3><pre>
</pre></font>There are a few browsers that will not present a User-Agent header.
These browsers are considered to be browsers of type &quot;Unknown&quot;, and 
this method works the same way for them.
<font face="courier new" size=3><pre>
</pre></font>Most people agree that this level of security is unnecessary, thus
it is titled paranoid :)
<font face="courier new" size=3><pre>
  PerlSetVar ParanoidSession 0
</pre></font>
	
	<p>
	<a name=SessionSeria0633b2a7></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>SessionSerialize</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if true, locks $Session for duration of script, which
serializes requests to the $Session object.  Only one script at
a time may run, per user $Session, with sessions allowed.
<font face="courier new" size=3><pre>
</pre></font>Serialized requests to the session object is the Microsoft ASP way, 
but is dangerous in a production environment, where there is risk
of long-running or run-away processes.  If these things happen,
a session may be locked for an indefinite period of time.  A user
STOP button should safely quit the session however.
<font face="courier new" size=3><pre>
  PerlSetVar SessionSerialize 0
</pre></font>
	
	<p>
	<a name=SessionCount></a>
	<font face=verdana><font class=title size=-1 color=#555555><b>SessionCount</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 0, if true enables the $Application-&gt;SessionCount API
which returns how many sessions are currently active in 
the application.  This config was created 
because there is a performance hit associated with this
count tracking, so it is disabled by default.
<font face="courier new" size=3><pre>
  PerlSetVar SessionCount 1
</pre></font>
	
	<p>
	<a name=Cookieless%20S21cbf4f4></a>
	<font face=verdana><font class=title size=+0 color=#555555><b>Cookieless Sessions</b></font>
</font>



( run in 0.614 second using v1.01-cache-2.11-cpan-140bd7fdf52 )