Apache2-ClickPath
view release on metacpan or search on metacpan
If the requested URI starts with a slash followed by the session prefix
(see "ClickPathSessionPrefix" below) the rest of the URI up to the next
slash is treated as session identifier. If for example the requested URI
is "/-S:s9NNNd:doBAYNNNiaNQOtNNNNNM/index.html" then assuming
"ClickPathSessionPrefix" is set to "-S:" the session identifier would be
"s9NNNd:doBAYNNNiaNQOtNNNNNM".
Starting with version 1.8 a checksum is included in the session ID.
Further, some parts of the information contained in the session
including the checksum can be encrypted. This both makes a valid session
ID hard to guess. If an invalid session ID is detected an error message
is printed to the ErrorLog. So, a log watching agent can be set up to
catch frequent abuses.
If no session identifier is found a new one is created.
Then the session prefix and identifier are stripped from the current
URI. Also a potentially existing session is stripped from the incoming
"Referer" header.
There are several exceptions to this scheme. Even if the incoming URI
ClickPathFriendlySessionsFile
this directive takes a filename as argument. The file's syntax and
semantic are the same as for "ClickPathFriendlySessions". The file
is reread every time is has been changed avoiding server restarts
after configuration changes at the prize of memory consumption.
ClickPathSecret
ClickPathSecretIV
if you want to run something like a shop with our session
identifiers they must be unguessable. That means knowing a valid
session ID it must be difficult to guess another one. With these
directives a significant part of the session ID is encrypted with
Blowfish in the cipher block chaining mode thus making the session
ID unguessable. "ClickPathSecret" specifies the key,
"ClickPathSecretIV" the initialization vector.
"ClickPathSecretIV" is a simple string of arbitrary length. The
first 8 bytes of its MD5 digest are used as initialization vector.
If omitted the string "abcd1234" is the IV.
"ClickPathSecret" is given as "http:", "https:", "file:" or "data:"
URL. Thus the secret can be stored directly as data-URL in the
httpd.conf or in a separate file on the local disk or on a possibly
secured server. To enable all modes of accessing the WEB the
lib/Apache2/ClickPath.pm view on Meta::CPAN
If the requested URI starts with a slash followed by the session prefix
(see L</"B<ClickPathSessionPrefix>"> below) the rest of the URI up to the next
slash is treated as session identifier. If for example the requested URI
is C</-S:s9NNNd:doBAYNNNiaNQOtNNNNNM/index.html> then assuming
C<ClickPathSessionPrefix> is set to C<-S:> the session identifier would be
C<s9NNNd:doBAYNNNiaNQOtNNNNNM>.
Starting with version 1.8 a checksum is included in the session ID. Further,
some parts of the information contained in the session including the checksum
can be encrypted. This both makes a valid session ID hard to guess. If an
invalid session ID is detected an error message is printed to the ErrorLog.
So, a log watching agent can be set up to catch frequent abuses.
If no session identifier is found a new one is created.
Then the session prefix and identifier are stripped from the current URI.
Also a potentially existing session is stripped from the incoming C<Referer>
header.
There are several exceptions to this scheme. Even if the incoming URI
lib/Apache2/ClickPath.pm view on Meta::CPAN
this directive takes a filename as argument. The file's syntax and semantic
are the same as for C<ClickPathFriendlySessions>. The file is reread every time
is has been changed avoiding server restarts after configuration changes at
the prize of memory consumption.
=item B<ClickPathSecret>
=item B<ClickPathSecretIV>
if you want to run something like a shop with our session identifiers they
must be unguessable. That means knowing a valid session ID it must be
difficult to guess another one. With these directives a significant part
of the session ID is encrypted with Blowfish in the cipher block chaining
mode thus making the session ID unguessable. C<ClickPathSecret> specifies
the key, C<ClickPathSecretIV> the initialization vector.
C<ClickPathSecretIV> is a simple string of arbitrary length. The first 8
bytes of its MD5 digest are used as initialization vector. If omitted the
string C<abcd1234> is the IV.
C<ClickPathSecret> is given as C<http:>, C<https:>, C<file:> or C<data:> URL.
Thus the secret can be stored directly as data-URL in the httpd.conf or in a
separate file on the local disk or on a possibly secured server. To enable
all modes of accessing the WEB the http(s)-URL syntax is a bit extented.
( run in 0.369 second using v1.01-cache-2.11-cpan-702932259ff )