Apache-ASP
view release on metacpan or search on metacpan
application scream with speed.
PerlSetVar StateDir ./.state
=item StateManager
default 10, this number specifies the numbers of times per SessionTimeout
that timed out sessions are garbage collected. The bigger the number,
the slower your system, but the more precise Session_OnEnd's will be
run from global.asa, which occur when a timed out session is cleaned up,
and the better able to withstand Session guessing hacking attempts.
The lower the number, the faster a normal system will run.
The defaults of 20 minutes for SessionTimeout and 10 times for
StateManager, has dead Sessions being cleaned up every 2 minutes.
PerlSetVar StateManager 10
=item StateDB
default SDBM_File, this is the internal database used for state
=head2 $Session Object
The $Session object keeps track of user and web client state, in
a persistent manner, making it relatively easy to develop web
applications. The $Session state is stored across HTTP connections,
in database files in the Global or StateDir directories, and will
persist across web server restarts.
The user session is referenced by a 128 bit / 32 byte MD5 hex hashed cookie,
and can be considered secure from session id guessing, or session hijacking.
When a hacker fails to guess a session, the system times out for a
second, and with 2**128 (3.4e38) keys to guess, a hacker will not be
guessing an id any time soon.
If an incoming cookie matches a timed out or non-existent session,
a new session is created with the incoming id. If the id matches a
currently active session, the session is tied to it and returned.
This is also similar to the Microsoft ASP implementation.
The $Session reference is a hash ref, and can be used as such to
store data as in:
$Session->{count}++; # increment count by one
URLs, but with SessionQueryParseMatch set to some server
url regexp, like ^http://localhost , will also parse
in the session id for URLs that match that.
When testing, the performance hit from this parsing
a script dropped from 12.5 hits/sec on my WinNT box
to 11.7 hits per second for 1K of buffered output.
The difference is .007 of my PII300's processing power
per second.
For 10K of output then, my guess is that this speed
of script, would be slowed to 6.8 hits per second.
This kind of performance hit would also slow a
script running at 40 hits per second on a UNIX box
to 31 hits/sec for 1K, and to 11 hits/sec for 10K parsed.
Your mileage may vary and you will have to test the difference
yourself. Get yourself a valid URL with a session-id in
it, and run it through ab, or Socrates, with SessionQuery
turned on, and then with SessionQueryParse set to see
the difference. SessionQuery just enables of session id
$Session, $Application, $Response, $Request objects available
for use in asp pages.
$Session & $Application data is preserved using SDBM files.
$Session id's are tracked through the use of cookies.
Security
--------
Timeouts any attempt to use a session id that doesn't already
exist. Should stop hackers, since there is no wire speed guessing
cookies.
=head1 LICENSE
Copyright (c) 1998-2018, Josh Chamas
All rights reserved. This program is free software; you can
redistribute it and/or modify it under the same terms as Perl itself.
Apache::ASP is a perl native port of Active Server Pages for Apache
files. This way one may point StateDir to /tmp/myaspapp, and make one's
ASP application scream with speed.
PerlSetVar StateDir ./.state
StateManager
default 10, this number specifies the numbers of times per
SessionTimeout that timed out sessions are garbage collected. The bigger
the number, the slower your system, but the more precise Session_OnEnd's
will be run from global.asa, which occur when a timed out session is
cleaned up, and the better able to withstand Session guessing hacking
attempts. The lower the number, the faster a normal system will run.
The defaults of 20 minutes for SessionTimeout and 10 times for
StateManager, has dead Sessions being cleaned up every 2 minutes.
PerlSetVar StateManager 10
StateDB
default SDBM_File, this is the internal database used for state objects
like $Application and $Session. Because an SDBM_File %hash has a limit
for common functions.
$Session Object
The $Session object keeps track of user and web client state, in a
persistent manner, making it relatively easy to develop web applications.
The $Session state is stored across HTTP connections, in database files in
the Global or StateDir directories, and will persist across web server
restarts.
The user session is referenced by a 128 bit / 32 byte MD5 hex hashed cookie,
and can be considered secure from session id guessing, or session hijacking.
When a hacker fails to guess a session, the system times out for a second,
and with 2**128 (3.4e38) keys to guess, a hacker will not be guessing an id
any time soon.
If an incoming cookie matches a timed out or non-existent session, a new
session is created with the incoming id. If the id matches a currently
active session, the session is tied to it and returned. This is also similar
to the Microsoft ASP implementation.
The $Session reference is a hash ref, and can be used as such to store data
as in:
URLs, but with SessionQueryParseMatch set to some server
url regexp, like ^http://localhost , will also parse
in the session id for URLs that match that.
When testing, the performance hit from this parsing
a script dropped from 12.5 hits/sec on my WinNT box
to 11.7 hits per second for 1K of buffered output.
The difference is .007 of my PII300's processing power
per second.
For 10K of output then, my guess is that this speed
of script, would be slowed to 6.8 hits per second.
This kind of performance hit would also slow a
script running at 40 hits per second on a UNIX box
to 31 hits/sec for 1K, and to 11 hits/sec for 10K parsed.
Your mileage may vary and you will have to test the difference
yourself. Get yourself a valid URL with a session-id in
it, and run it through ab, or Socrates, with SessionQuery
turned on, and then with SessionQueryParse set to see
the difference. SessionQuery just enables of session id
$Session, $Application, $Response, $Request objects available
for use in asp pages.
$Session & $Application data is preserved using SDBM files.
$Session id's are tracked through the use of cookies.
Security
--------
Timeouts any attempt to use a session id that doesn't already
exist. Should stop hackers, since there is no wire speed guessing
cookies.
LICENSE
Copyright (c) 1998-2018, Josh Chamas
All rights reserved. This program is free software; you can redistribute it
and/or modify it under the same terms as Perl itself.
Apache::ASP is a perl native port of Active Server Pages for Apache and
mod_perl.
lib/Apache/ASP/Session.pm view on Meta::CPAN
$asp->{dbg} &&
$asp->Debug("session not expired",{'time'=>time(), timeout=>$idata->{timeout}});
if($asp->{paranoid_session}) {
local $^W = 0;
# by testing for whether UA was set to begin with, we
# allow a smooth upgrade to ParanoidSessions
$state->WriteLock() if $asp->{session_serialize};
my $state_ua = $state->FETCH('_UA');
if(defined($state_ua) and $state_ua ne $asp->{'ua'}) {
$asp->Log("[security] hacker guessed id $id; ".
"user-agent ($asp->{'ua'}) does not match ($state_ua); ".
"destroying session & establishing new session id"
);
$state->Init();
undef $state;
goto NEW_SESSION_ID;
}
}
$started = 0;
lib/Apache/ASP/StateManager.pm view on Meta::CPAN
$self->{session_url} = $self->{session_url_parse} || $self->{session_url_match} || &config($self, 'SessionQuery');
$self->{session_url_force} = &config($self, 'SessionQueryForce');
$self->{session_serialize} = &config($self, 'SessionSerialize');
$self->{secure_session} = &config($self, 'SecureSession');
$self->{http_only_session} = &config($self, 'HTTPOnlySession');
# session timeout in seconds since that is what we work with internally
$self->{session_timeout} = &config($self, 'SessionTimeout', undef, $SessionTimeout) * 60;
$self->{'ua'} = $self->{headers_in}->get('User-Agent') || 'UNKNOWN UA';
# refresh group by some increment smaller than session timeout
# to withstand DoS, bruteforce guessing attacks
# defaults to checking the group once every 2 minutes
$self->{group_refresh} = int($self->{session_timeout} / $self->{state_manager});
# Session state is dependent on internal state
# load at runtime for CGI environments, preloaded for mod_perl
require Apache::ASP::Session;
$session = $self->{Session} = &Apache::ASP::Session::new($self)
|| $self->Die("can't create session");
site/articles/perlmonth3_tune.html view on Meta::CPAN
<tr>
<td bgcolor=#c0c0c0>StateDir</td>
<td bgcolor=#c0c0c0>/tmp/bookmarks</td>
<td bgcolor=#c0c0c0>/tmp/bookmarks</td>
</tr>
<tr bgcolor=white>
<td><b>Comments</b></td>
<td><font size=-1></font></td>
<td><font size=-1>Couldn't believe my eyes when I saw there to be so little difference when not using .htaccess. My guess is that the Apache people optimized this at some point.</font></td>
</tr>
<tr bgcolor=white>
<td><b>Legend</b></td>
<td colspan=2>
<font size=-2 face=verdana>
Configuration items
that start with AP are Apache configuration options, the
rest are Apache::ASP. The
.htaccess one means that configurations are stored in the .htaccess
site/articles/perlmonth3_tune.html view on Meta::CPAN
<tr>
<td bgcolor=#c0c0c0>StateDir</td>
<td bgcolor=#c0c0c0>/tmp/bookmarks</td>
<td bgcolor=#c0c0c0>/tmp/bookmarks</td>
</tr>
<tr bgcolor=white>
<td><b>Comments</b></td>
<td><font size=-1>Couldn't believe my eyes when I saw there to be so little difference when not using .htaccess. My guess is that the Apache people optimized this at some point.</font></td>
<td><font size=-1>This bench only had 684 requests, so there was no parent httpd forking during this time, whereas before there may have been reforking every few seconds during the 30 second bench.</font></td>
</tr>
<tr bgcolor=white>
<td><b>Legend</b></td>
<td colspan=2>
<font size=-2 face=verdana>
Configuration items
that start with AP are Apache configuration options, the
rest are Apache::ASP. The
site/changes.html view on Meta::CPAN
URLs, but with SessionQueryParseMatch set to some server
url regexp, like ^<tt>http://localhost</tt> , will also parse
in the session id for URLs that match that.
When testing, the performance hit from this parsing
a script dropped from 12.5 hits/sec on my WinNT box
to 11.7 hits per second for 1K of buffered output.
The difference is .007 of my PII300's processing power
per second.
For 10K of output then, my guess is that this speed
of script, would be slowed to 6.8 hits per second.
This kind of performance hit would also slow a
script running at 40 hits per second on a UNIX box
to 31 hits/sec for 1K, and to 11 hits/sec for 10K parsed.
Your mileage may vary and you will have to test the difference
yourself. Get yourself a valid URL with a session-id in
it, and run it through ab, or Socrates, with SessionQuery
turned on, and then with SessionQueryParse set to see
the difference. SessionQuery just enables of session id
site/changes.html view on Meta::CPAN
$Session, $Application, $Response, $Request objects available
for use in asp pages.
$Session & $Application data is preserved using SDBM files.
$Session id's are tracked through the use of cookies.
Security
--------
Timeouts any attempt to use a session id that doesn't already
exist. Should stop hackers, since there is no wire speed guessing
cookies.
</pre></font>
</font>
</td>
<td bgcolor=white valign=top>
</td>
site/config.html view on Meta::CPAN
</pre></font>
<p>
<a name=StateManager></a>
<font face=verdana><font class=title size=-1 color=#555555><b>StateManager</b></font>
<font face="courier new" size=3><pre>
</pre></font>default 10, this number specifies the numbers of times per SessionTimeout
that timed out sessions are garbage collected. The bigger the number,
the slower your system, but the more precise Session_OnEnd's will be
run from global.asa, which occur when a timed out session is cleaned up,
and the better able to withstand Session guessing hacking attempts.
The lower the number, the faster a normal system will run.
<font face="courier new" size=3><pre>
</pre></font>The defaults of 20 minutes for SessionTimeout and 10 times for
StateManager, has dead Sessions being cleaned up every 2 minutes.
<font face="courier new" size=3><pre>
PerlSetVar StateManager 10
</pre></font>
<p>
<a name=StateDB></a>
site/objects.html view on Meta::CPAN
<a name=%24Session%20Obj517fb3b8></a>
<font face=verdana><font class=title size=+0 color=#555555><b>$Session Object</b></font>
<font face="courier new" size=3><pre>
</pre></font>The $Session object keeps track of user and web client state, in
a persistent manner, making it relatively easy to develop web
applications. The $Session state is stored across HTTP connections,
in database files in the Global or StateDir directories, and will
persist across web server restarts.
<font face="courier new" size=3><pre>
</pre></font>The user session is referenced by a 128 bit / 32 byte MD5 hex hashed cookie,
and can be considered secure from session id guessing, or session hijacking.
When a hacker fails to guess a session, the system times out for a
second, and with 2**128 (3.4e38) keys to guess, a hacker will not be
guessing an id any time soon.
<font face="courier new" size=3><pre>
</pre></font>If an incoming cookie matches a timed out or non-existent session,
a new session is created with the incoming id. If the id matches a
currently active session, the session is tied to it and returned.
This is also similar to the Microsoft ASP implementation.
<font face="courier new" size=3><pre>
</pre></font>The $Session reference is a hash ref, and can be used as such to
store data as in:
<font face="courier new" size=3><pre>
$Session->{count}++; # increment count by one
( run in 0.370 second using v1.01-cache-2.11-cpan-702932259ff )