Changing browser URL based on condition

am 11.07.2011 20:48:09 von Jerry Pereira

--bcaec520f3a7eab11904a7cf9fc7
Content-Type: text/plain; charset=ISO-8859-1

Hi All,

I would like to know if there is a way to change the URL displayed on
browser without using Redirect option. The URL visible on client browser
must be based on some condition that is evaluated in my mod_perl handler.

For example -

1. User types the URL - www.example.com, this will display the login page.
2. Once the user enters the credentials and hits submit, the request is
posted to www.example.com/login action.
3. If the credentials entered by the user is valid then i would like to show
the home page..uri
4. I am able to show the homw page, but the URL does not change to
www.example.com/home, instead it remains the same (i.e.
www.example.com/login). I am using Template toolkit to render my pages. I
tried $req->url('/home'), but that does not change the browser URI.

Any help will be appreciated.

Thanks,
Jerry

--bcaec520f3a7eab11904a7cf9fc7
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi All,

I would like to know if there is a way to change the URL displayed on >browser without using Redirect option. The URL visible on client browser r>must be based on some condition that is evaluated in my mod_perl handler.=

For example -

1. User types the URL - www.example.=
com, this will display the login page.
2. Once the user enters the c=
redentials and hits submit, the request is
posted to ww.example.com/login">www.example.com/login action.

3. If the credentials entered by the user is valid then i would like to sho=
w
the home page..uri
4. I am able to show the homw page, but the URL =
does not change to
www.example.c=
om/home, instead it remains the same (i.e.

). I am u=
sing Template toolkit to render my pages. I
tried $req->url('/hom=
e'), but that does not change the browser URI.

Any help will be appreciated.

Thanks,
Jerry

--bcaec520f3a7eab11904a7cf9fc7--

Re: Changing browser URL based on condition

am 11.07.2011 20:57:50 von Ronald J Kimball

On Mon, Jul 11, 2011 at 11:48:09AM -0700, Jerry Pereira wrote:

> I would like to know if there is a way to change the URL displayed on
> browser without using Redirect option. The URL visible on client browser
> must be based on some condition that is evaluated in my mod_perl handler.

Imagine if a web page could cause the browser to display any URL it wanted,
rather than the URL of the page the user is actually viewing... That would
be a huge security hole for spoofing of web sites!

So, why don't you want to do a redirect, exactly?

Ronald

RE: Changing browser URL based on condition

am 11.07.2011 21:03:34 von Edward.Szekeres

--_000_D4703BE836D28841863FE6226C9DAA7405B310amermbx01perkin el_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

If you are looking to do this for "cosmetic reasons", I do this be simply u=
sing frame sets and doing redirects in the child frame. The URL displayed =
in the location bar will always be constant for the parent frame. I don't =
think there is any way to do this at the core level or it would be a spoofe=
rs windfall. The browser will always have the actual location in the info=
panel.

From: Jerry Pereira [mailto:online.jerry@gmail.com]
Sent: Monday, July 11, 2011 2:48 PM
To: modperl@perl.apache.org
Subject: Changing browser URL based on condition

Hi All,

I would like to know if there is a way to change the URL displayed on
browser without using Redirect option. The URL visible on client browser
must be based on some condition that is evaluated in my mod_perl handler.

For example -

1. User types the URL - www.example.com, this will=
display the login page.
2. Once the user enters the credentials and hits submit, the request is
posted to www.example.com/login action.
3. If the credentials entered by the user is valid then i would like to sho=
w
the home page..uri
4. I am able to show the homw page, but the URL does not change to
www.example.com/home, instead it remains the s=
ame (i.e.
www.example.com/login). I am using Template t=
oolkit to render my pages. I
tried $req->url('/home'), but that does not change the browser URI.

Any help will be appreciated.

Thanks,
Jerry

--_000_D4703BE836D28841863FE6226C9DAA7405B310amermbx01perkin el_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">

>

libri","sans-serif";color:#1F497D">If you are looking to do =
this for “cosmetic reasons”, I do this be simply using frame se=
ts and doing redirects in the child frame. The URL displayed in the
location bar will always be constant for the parent frame. I donR=
17;t think there is any way to do this at the core level or it would be a s=
poofers windfall. The browser will always have the actual locat=
ion in the info panel.

libri","sans-serif";color:#1F497D"> <=
/p>

;Tahoma","sans-serif"">From: ize:10.0pt;font-family:"Tahoma","sans-serif""> Jerry Pe=
reira [mailto:online.jerry@gmail.com]

Sent: Monday, July 11, 2011 2:48 PM

To: modperl@perl.apache.org

Subject: Changing browser URL based on condition p>

Hi All,

I would like to know if there is a way to change the URL displayed on >
browser without using Redirect option. The URL visible on client browser >
must be based on some condition that is evaluated in my mod_perl handler. :p>

For example -

1. User types the URL - www.example.=
com, this will display the login page.

2. Once the user enters the credentials and hits submit, the request is

posted to www.example.com/login > action.

3. If the credentials entered by the user is valid then i would like to sho=
w

the home page..uri

4. I am able to show the homw page, but the URL does not change to

, instead i=
t remains the same (i.e.

). I am u=
sing Template toolkit to render my pages. I

tried $req->url('/home'), but that does not change the browser URI.=

Any help will be appreciated.

Thanks,

Jerry

--_000_D4703BE836D28841863FE6226C9DAA7405B310amermbx01perkin el_--

Re: Changing browser URL based on condition

am 11.07.2011 21:10:02 von Octavian Rasnita

From: "Jerry Pereira"
> Hi All,
>=20
> I would like to know if there is a way to change the URL displayed on
> browser without using Redirect option.=20

Nope, not possible.

You need to do that redirection somehow.

What the user sees in the address bar is the URL accessed by the =
browser. If the browser is not told to access a certain URL, how can =
that URL appear in the address bar?

Why don't you want to do that redirection?

It is pretty common (and recommended) to do a redirect after POST =
because in that case the users won't need to meet that ugly warning =
window that appear if the user does a page refresh after the POST.

Octavian

Re: Changing browser URL based on condition

am 11.07.2011 21:14:01 von Jerry Pereira

--bcaec544f078629d3a04a7cffc06
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Hi Edward,

I have the following design:

A single PerlResponseHandler for all requests. This handler based on the
path decides the action to be taken

For example, if the user submits to www.example.com/login, then the handler
delegates the request to authentication module, which will then either
display the home page (throug home page template) or login page again, base=
d
on the success/failure of authentication mechanism. Since i am rendering th=
e
page via template, i am able to generate the content of home page which i
then send back to the client, but the URL on the browser remails the same
(i.e. www.example.com/login), which is not true. Any suggestions to handle
this scenario will be great.

Thanks,
Jerry

On Mon, Jul 11, 2011 at 12:03 PM, Szekeres, Edward <
Edward.Szekeres@perkinelmer.com> wrote:

> If you are looking to do this for =93cosmetic reasons=94, I do this be s=
imply
> using frame sets and doing redirects in the child frame. The URL display=
ed
> in the location bar will always be constant for the parent frame. I don=
=92t
> think there is any way to do this at the core level or it would be a
> spoofers windfall. The browser will always have the actual location in =
the
> info panel.****
>
> ** **
>
> *From:* Jerry Pereira [mailto:online.jerry@gmail.com]
> *Sent:* Monday, July 11, 2011 2:48 PM
> *To:* modperl@perl.apache.org
> *Subject:* Changing browser URL based on condition****
>
> ** **
>
> Hi All,****
>
> I would like to know if there is a way to change the URL displayed on
> browser without using Redirect option. The URL visible on client browser
> must be based on some condition that is evaluated in my mod_perl handler.=
*
> ***
>
> For example -****
>
> 1. User types the URL - www.example.com, this will display the login page=
..
> 2. Once the user enters the credentials and hits submit, the request is
> posted to www.example.com/login action.
> 3. If the credentials entered by the user is valid then i would like to
> show
> the home page..uri
> 4. I am able to show the homw page, but the URL does not change to
> www.example.com/home, instead it remains the same (i.e.
> www.example.com/login). I am using Template toolkit to render my pages. I
> tried $req->url('/home'), but that does not change the browser URI.****
>
> Any help will be appreciated.****
>
>
> Thanks,
> Jerry****
>

--=20
Your clothes may be the latest in style but you aint completely dressed
until you wear a smile!
Keep smiling : )

--bcaec544f078629d3a04a7cffc06
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Hi Edward,

=A0

I have the following design:

=A0

A single PerlResponseHandler for all requests. This handler based on t=
he path decides the action to be taken

=A0

For example, if the user submits to login">www.example.com/login, then the handler delegates the request to=
authentication module, which will then either display the home page (throu=
g home page template) or login page again, based on the success/failure of =
authentication mechanism. Since i am rendering the page via template, i am =
able to generate the content of home page which i then send back to the cli=
ent, but the URL on the browser remails the same (i.e. w.example.com/login">www.example.com/login), which is not true. Any sug=
gestions to handle this scenario will be great.

=A0

Thanks,

Jerry

On Mon, Jul 11, 2011 at 12:03 PM, Szekeres, Edwa=
rd < >Edward.Szekeres@perkinelmer.com> wrote:

; PADDING-LEFT: 1ex" class=3D"gmail_quote">

If y=
ou are looking to do this for =93cosmetic reasons=94, I do this be simply u=
sing frame sets and doing redirects in the child frame.=A0 The URL displaye=
d in the location bar will always be constant for the parent frame.=A0 I do=
n=92t think there is any way to do this at the core level or it would be a =
spoofers windfall. The browser will always have the actual location i=
n the info panel.

<=
/u>=A0

From:<=
span style=3D"FONT-SIZE: 10pt"> Jerry Pereira [mailto: ine.jerry@gmail.com" target=3D"_blank">online.jerry@gmail.com]
S=
ent: Monday, July 11, 2011 2:48 PM

To: mod=
perl@perl.apache.org
Subject: Changing browser URL based on c=
ondition

=A0

Hi All,

I would like to know if there is a way to change the URL displayed on >browser without using Redirect option. The URL visible on client browser r>must be based on some condition that is evaluated in my mod_perl handler.=

For example -

1. User types the URL - lank">www.example.com, this will display the login page.
2. Once the=
user enters the credentials and hits submit, the request is
posted to <=
a href=3D"http://www.example.com/login" target=3D"_blank">www.example.com/l=
ogin action.

3. If the credentials entered by the user is valid then i would like to sho=
w
the home page..uri
4. I am able to show the homw page, but the URL =
does not change to
ank">www.example.com/home, instead it remains the same (i.e.

www.example.com/=
login). I am using Template toolkit to render my pages. I
tried $req=
->url('/home'), but that does not change the browser URI.=

Any help will be appreciated.

Thanks,
Jerry
te>

--
Your clothes may be the latest in=
style but you aint completely dressed until you wear a smile!
Keep smil=
ing : )

--bcaec544f078629d3a04a7cffc06--

Re: Changing browser URL based on condition

am 11.07.2011 21:29:32 von mpeters

On 07/11/2011 03:14 PM, Jerry Pereira wrote:
> Any suggestions to handle this scenario will be great.

As others have noted, there isn't a way to do this. If it's a
requirement of your application then the only way to handle it is to do
redirection. And as others have pointed out it's a good idea to do a
redirect after a POST anyway since it prevents other problems.

--
Michael Peters
Plus Three, LP

Re: Changing browser URL based on condition

am 11.07.2011 21:30:43 von Doug Sims

--001636b2af791c268604a7d03884
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Much better to go with a more RESTful approach - the URL is the identifier
for the page and you don't want that identifier to represent the wrong page=
,
e.g. if example.com/login sometimes returns the home page and sometimes
returns some other page (assuming you can login from and return to multiple
pages.)

Make it so that your home page (or any page) have a login form (or link
which expands to a login form) which POSTs to the login page (or to think o=
f
it in a RESTful way, PUT to a "sessions" URL, thus defining the idea of
"create a new session" - except that browser forms have problems with PUT).
Then from the login page do a redirect to whatever was the referer.

On Mon, Jul 11, 2011 at 12:14 PM, Jerry Pereira wro=
te:

> Hi Edward,
>
> I have the following design:
>
> A single PerlResponseHandler for all requests. This handler based on the
> path decides the action to be taken
>
> For example, if the user submits to www.example.com/login, then the
> handler delegates the request to authentication module, which will then
> either display the home page (throug home page template) or login page
> again, based on the success/failure of authentication mechanism. Since i =
am
> rendering the page via template, i am able to generate the content of hom=
e
> page which i then send back to the client, but the URL on the browser
> remails the same (i.e. www.example.com/login), which is not true. Any
> suggestions to handle this scenario will be great.
>
> Thanks,
> Jerry
>
> On Mon, Jul 11, 2011 at 12:03 PM, Szekeres, Edward <
> Edward.Szekeres@perkinelmer.com> wrote:
>
>> If you are looking to do this for =93cosmetic reasons=94, I do this be
>> simply using frame sets and doing redirects in the child frame. The URL
>> displayed in the location bar will always be constant for the parent fra=
me.
>> I don=92t think there is any way to do this at the core level or it woul=
d be a
>> spoofers windfall. The browser will always have the actual location in=
the
>> info panel.****
>>
>> ** **
>>
>> *From:* Jerry Pereira [mailto:online.jerry@gmail.com]
>> *Sent:* Monday, July 11, 2011 2:48 PM
>> *To:* modperl@perl.apache.org
>> *Subject:* Changing browser URL based on condition****
>>
>> ** **
>>
>> Hi All,****
>>
>> I would like to know if there is a way to change the URL displayed on
>> browser without using Redirect option. The URL visible on client browser
>> must be based on some condition that is evaluated in my mod_perl handler=
..
>> ****
>>
>> For example -****
>>
>> 1. User types the URL - www.example.com, this will display the login
>> page.
>> 2. Once the user enters the credentials and hits submit, the request is
>> posted to www.example.com/login action.
>> 3. If the credentials entered by the user is valid then i would like to
>> show
>> the home page..uri
>> 4. I am able to show the homw page, but the URL does not change to
>> www.example.com/home, instead it remains the same (i.e.
>> www.example.com/login). I am using Template toolkit to render my pages. =
I
>> tried $req->url('/home'), but that does not change the browser URI.****
>>
>> Any help will be appreciated.****
>>
>>
>> Thanks,
>> Jerry****
>>
>
>
>
> --
> Your clothes may be the latest in style but you aint completely dressed
> until you wear a smile!
> Keep smiling : )
>

--001636b2af791c268604a7d03884
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Much better to go with a more RESTful approach - the URL is the identifier =
for the page and you don't want that identifier to represent the wrong =
page, e.g. if so=
metimes returns the home page and sometimes returns some other page (assumi=
ng you can login from and return to multiple pages.)

Make it so that your home page (or any page) have a login fo=
rm (or link which expands to a login form) which POSTs to the login page (o=
r to think of it in a RESTful way, PUT to a "sessions" URL, thus =
defining the idea of "create a new session" - except that browser=
forms have problems with PUT). =A0Then from the login page do a redirect t=
o whatever was the referer.

On Mon, Jul 11, 2011=
at 12:14 PM, Jerry Pereira < jerry@gmail.com">online.jerry@gmail.com> wrote:
e class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc sol=
id;padding-left:1ex;">

Hi Edward,

=A0

I have the following design:

=A0

A single PerlResponseHandler for all requests. This handler based on t=
he path decides the action to be taken

=A0

For example, if the user submits to login" target=3D"_blank">www.example.com/login, then the handler delega=
tes the request to authentication module, which will then either display th=
e home page (throug home page template) or login page again, based on the s=
uccess/failure of authentication mechanism. Since i am rendering the page v=
ia template, i am able to generate the content of home page which i then se=
nd back to the client, but the URL on the browser remails the same (i.e. href=3D"http://www.example.com/login" target=3D"_blank">www.example.com/lo=
gin), which is not true. Any suggestions to handle this scenario will b=
e great.

=A0

Thanks,

Jerry

On Mon, Jul 11, 2011 at 12:03 PM, Szekeres, Edwa=
rd < target=3D"_blank">Edward.Szekeres@perkinelmer.com> wrote: >

dding-left:1ex" class=3D"gmail_quote">

If you =
are looking to do this for =93cosmetic reasons=94, I do this be simply usin=
g frame sets and doing redirects in the child frame.=A0 The URL displayed i=
n the location bar will always be constant for the parent frame.=A0 I don=
=92t think there is any way to do this at the core level or it would be a s=
poofers windfall. The browser will always have the actual location in=
the info panel.

=
=A0

From: pan style=3D"font-size:10pt"> Jerry Pereira [mailto: e.jerry@gmail.com" target=3D"_blank">online.jerry@gmail.com]
Sen=
t: Monday, July 11, 2011 2:48 PM

To: mod=
perl@perl.apache.org
Subject: Changing browser URL based on c=
ondition

=A0

Hi All,

I would like to know if there is a way to change the URL displayed on >browser without using Redirect option. The URL visible on client browser r>must be based on some condition that is evaluated in my mod_perl handler.=

For example -

1. User types the URL - lank">www.example.com, this will display the login page.
2. Once the=
user enters the credentials and hits submit, the request is
posted to <=
a href=3D"http://www.example.com/login" target=3D"_blank">www.example.com/l=
ogin action.

3. If the credentials entered by the user is valid then i would like to sho=
w
the home page..uri
4. I am able to show the homw page, but the URL =
does not change to
ank">www.example.com/home, instead it remains the same (i.e.

www.example.com/=
login). I am using Template toolkit to render my pages. I
tried $req=
->url('/home'), but that does not change the browser URI.=

Any help will be appreciated.

Thanks,
Jerry
te>

-- <=
br>Your clothes may be the latest in style but you aint completely dressed =
until you wear a smile!

Keep smiling : )

--001636b2af791c268604a7d03884--

Re: Changing browser URL based on condition

am 11.07.2011 21:34:45 von Octavian Rasnita

From: "Jerry Pereira"

Hi Edward,

I have the following design:

A single PerlResponseHandler for all requests. This handler based on the
path decides the action to be taken

For example, if the user submits to www.example.com/login, then the =
handler
delegates the request to authentication module, which will then either
display the home page (throug home page template) or login page again, =
based
on the success/failure of authentication mechanism.=20

Instead of displaying those pages, why can't the authentication module =
do a redirect to the handler that display the wanted page?

Octavian

Re: Changing browser URL based on condition

am 11.07.2011 21:37:09 von mk

On Mon, 11 Jul 2011 11:48:09 -0700
Jerry Pereira wrote:
> 1. User types the URL - www.example.com, this will display the login
> page.
> 2. Once the user enters the credentials and hits submit, the request
> is posted to www.example.com/login action.
> 3. If the credentials entered by the user is valid then i would like
> to show the home page..uri
> 4. I am able to show the homw page, but the URL does not change to
> www.example.com/home, instead it remains the same (i.e.
> www.example.com/login).

One important reason to do something like that is because you do not
want the user to bookmark or otherwise pass on an url with completely
ambiguous content -- /login should refer to the login page, /home should
refer to the home page, they are two different things. Having /login
refer to both is no good. So I think your desire is justified.

IMO, this is best handled client-side: you return your login data via
an AJAX call. If the login succeeds, the client loads /home. If the
login has failed, the client displays a message to that effect. You
need to prevent spoofed access to /home, but of course you have to do
that anyway (via cookies or whatever method you are already using).

--
"Enthusiasm is not the enemy of the intellect." (said of Irving Howe)
"The angel of history[...]is turned toward the past." (Walter Benjamin)

Re: Changing browser URL based on condition

am 11.07.2011 21:41:35 von Brad Van Sickle

This is a multi-part message in MIME format.
--------------060000090505040806040106
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit

Agree with the consensus. The URI should be descriptive of the
function, so any requests to /login should be from users who are
attempting to... login. The home page should be housed under a separate
URL (/home for example)

After the user has authenticated, the login module should redirect to
the /home URI. Any links to the home page from within the application
should likewise refer to /home. You should have security in place to
redirect any unauthenticated users to /login before requests for /home
(or any other part of your application) are processed.

If you for some reason simply MUST keep referring people to /login when
they are expecting to see the home page, put code in your login module
to check for authenticated users and redirect them to /home before
displaying the login page. If the user doesn't have a session, then go
ahead and display the login form.

On 11-07-11 03:14 PM, Jerry Pereira wrote:
> Hi Edward,
> I have the following design:
> A single PerlResponseHandler for all requests. This handler based on
> the path decides the action to be taken
> For example, if the user submits to www.example.com/login
> , then the handler delegates the request
> to authentication module, which will then either display the home page
> (throug home page template) or login page again, based on the
> success/failure of authentication mechanism. Since i am rendering the
> page via template, i am able to generate the content of home page
> which i then send back to the client, but the URL on the browser
> remails the same (i.e. www.example.com/login
> ), which is not true. Any suggestions to
> handle this scenario will be great.
> Thanks,
> Jerry
>
> On Mon, Jul 11, 2011 at 12:03 PM, Szekeres, Edward
> > > wrote:
>
> If you are looking to do this for cosmetic reasons, I do this be
> simply using frame sets and doing redirects in the child frame.
> The URL displayed in the location bar will always be constant for
> the parent frame. I dont think there is any way to do this at
> the core level or it would be a spoofers windfall. The browser
> will always have the actual location in the info panel.
>
> *From:*Jerry Pereira [mailto:online.jerry@gmail.com
> ]
> *Sent:* Monday, July 11, 2011 2:48 PM
> *To:* modperl@perl.apache.org
> *Subject:* Changing browser URL based on condition
>
> Hi All,
>
> I would like to know if there is a way to change the URL displayed on
> browser without using Redirect option. The URL visible on client
> browser
> must be based on some condition that is evaluated in my mod_perl
> handler.
>
> For example -
>
> 1. User types the URL - www.example.com ,
> this will display the login page.
> 2. Once the user enters the credentials and hits submit, the
> request is
> posted to www.example.com/login action.
> 3. If the credentials entered by the user is valid then i would
> like to show
> the home page..uri
> 4. I am able to show the homw page, but the URL does not change to
> www.example.com/home , instead it
> remains the same (i.e.
> www.example.com/login ). I am using
> Template toolkit to render my pages. I
> tried $req->url('/home'), but that does not change the browser URI.
>
> Any help will be appreciated.
>
>
> Thanks,
> Jerry
>
>
>
>
> --
> Your clothes may be the latest in style but you aint completely
> dressed until you wear a smile!
> Keep smiling : )

--------------060000090505040806040106
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

http-equiv="Content-Type">

Agree with the consensus. The URI should be descriptive of the
function, so any requests to /login should be from users who are
attempting to... login. The home page should be housed under a
separate URL (/home for example)

After the user has authenticated, the login module should redirect
to the /home URI. Any links to the home page from within the
application should likewise refer to /home. You should have
security in place to redirect any unauthenticated users to /login
before requests for /home (or any other part of your application)
are processed.

If you for some reason simply MUST keep referring people to /login
when they are expecting to see the home page, put code in your login
module to check for authenticated users and redirect them to /home
before displaying the login page. If the user doesn't have a
session, then go ahead and display the login form.

On 11-07-11 03:14 PM, Jerry Pereira wrote:
cite="mid:CA+AtUcWaHxS-dd05TqkrV1JH8LWueM6SB-kxb3XkDyya_K2nQ w@mail.gmail.com"
type="cite">

Hi Edward,

I have the following design:

A single PerlResponseHandler for all requests. This handler
based on the path decides the action to be taken

For example, if the user submits to moz-do-not-send="true" href="http://www.example.com/login">www.example.com/login,
then the handler delegates the request to authentication module,
which will then either display the home page (throug home page
template) or login page again, based on the success/failure of
authentication mechanism. Since i am rendering the page via
template, i am able to generate the content of home page which i
then send back to the client, but the URL on the browser remails
the same (i.e. href="http://www.example.com/login">www.example.com/login),
which is not true. Any suggestions to handle this scenario will
be great.

Thanks,

Jerry

On Mon, Jul 11, 2011 at 12:03 PM,
Szekeres, Edward < href="mailto:Edward.Szekeres@perkinelmer.com">Edward.Szekere s@perkinelmer.com>
wrote:

class="gmail_quote">

If you are looking to do this for
cosmetic reasons, I do this be simply using frame
sets and doing redirects in the child frame. The URL
displayed in the location bar will always be constant
for the parent frame. I dont think there is any way
to do this at the core level or it would be a spoofers
windfall. The browser will always have the actual
location in the info panel.

From: style="font-size: 10pt;"> Jerry Pereira [mailto: moz-do-not-send="true"
href="mailto:online.jerry@gmail.com" target="_blank">online.jerry@gmail.com]

Sent: Monday, July 11, 2011 2:48 PM

To: href="mailto:modperl@perl.apache.org"
target="_blank">modperl@perl.apache.org

Subject: Changing browser URL based on
condition

Hi All,

I would like to know if there is a way to change
the URL displayed on

browser without using Redirect option. The URL
visible on client browser

must be based on some condition that is evaluated in
my mod_perl handler.

For example -

1. User types the URL - href="http://www.example.com/" target="_blank">www.example.com,
this will display the login page.

2. Once the user enters the credentials and hits
submit, the request is

posted to href="http://www.example.com/login"
target="_blank">www.example.com/login action.

3. If the credentials entered by the user is valid
then i would like to show

the home page..uri

4. I am able to show the homw page, but the URL does
not change to

href="http://www.example.com/home" target="_blank">www.example.com/home,
instead it remains the same (i.e.

href="http://www.example.com/login"
target="_blank">www.example.com/login). I am
using Template toolkit to render my pages. I

tried $req->url('/home'), but that does not
change the browser URI.

Any help will be appreciated.

Thanks,

Jerry

--

Your clothes may be the latest in style but you aint completely
dressed until you wear a smile!

Keep smiling : )

--------------060000090505040806040106--

RE: Changing browser URL based on condition

am 11.07.2011 21:42:39 von Edward.Szekeres

It seems to be just an attempt to do what is already done in Apache2::AuthC=
ookie (CPAN), which encapsulates a server side authentication.

-----Original Message-----
From: MK [mailto:mk@cognitivedissonance.ca]=20
Sent: Monday, July 11, 2011 3:37 PM
To: modperl@perl.apache.org
Subject: Re: Changing browser URL based on condition

On Mon, 11 Jul 2011 11:48:09 -0700
Jerry Pereira wrote:
> 1. User types the URL - www.example.com, this will display the login
> page.
> 2. Once the user enters the credentials and hits submit, the request
> is posted to www.example.com/login action.
> 3. If the credentials entered by the user is valid then i would like
> to show the home page..uri
> 4. I am able to show the homw page, but the URL does not change to
> www.example.com/home, instead it remains the same (i.e.
> www.example.com/login).=20

One important reason to do something like that is because you do not
want the user to bookmark or otherwise pass on an url with completely
ambiguous content -- /login should refer to the login page, /home should
refer to the home page, they are two different things. Having /login
refer to both is no good. So I think your desire is justified.

IMO, this is best handled client-side: you return your login data via
an AJAX call. If the login succeeds, the client loads /home. If the
login has failed, the client displays a message to that effect. You
need to prevent spoofed access to /home, but of course you have to do
that anyway (via cookies or whatever method you are already using).

--=20
"Enthusiasm is not the enemy of the intellect." (said of Irving Howe)
"The angel of history[...]is turned toward the past." (Walter Benjamin)

Re: Changing browser URL based on condition

am 11.07.2011 21:54:00 von aw

Szekeres, Edward wrote:
> It seems to be just an attempt to do what is already done in Apache2::AuthCookie (CPAN), which encapsulates a server side authentication.
>
>
+1
Exactly.
And I would add that before you start trying to implement you own authentication logic,
you should really think twice. HTTP authentication is a lot more messy than what you
would at first think, and you should first have a look at some existing CPAN modules like
the one mentioned above, and browse the code to understand what they are doing and why. Or
just use them, they work.

Just one aspect : if the URL from which the browser "thinks" the current page is coming,
is not the one from which the page is really coming, then it also means that any
/relative/ link inside your pages is not going to work as you expect it to.

Re: Changing browser URL based on condition

am 11.07.2011 22:34:30 von Jerry Pereira

--bcaec53963943f3b1604a7d11c74
Content-Type: text/plain; charset=ISO-8859-1

Thanks Guys!!! I will go ahead with Redirect approach. I was more interested
in building a generic framework for my application that would handle such
scenarios (login was just one of them).

On Mon, Jul 11, 2011 at 12:42 PM, Szekeres, Edward <
Edward.Szekeres@perkinelmer.com> wrote:

> It seems to be just an attempt to do what is already done in
> Apache2::AuthCookie (CPAN), which encapsulates a server side authentication.
>
>
> -----Original Message-----
> From: MK [mailto:mk@cognitivedissonance.ca]
> Sent: Monday, July 11, 2011 3:37 PM
> To: modperl@perl.apache.org
> Subject: Re: Changing browser URL based on condition
>
> On Mon, 11 Jul 2011 11:48:09 -0700
> Jerry Pereira wrote:
> > 1. User types the URL - www.example.com, this will display the login
> > page.
> > 2. Once the user enters the credentials and hits submit, the request
> > is posted to www.example.com/login action.
> > 3. If the credentials entered by the user is valid then i would like
> > to show the home page..uri
> > 4. I am able to show the homw page, but the URL does not change to
> > www.example.com/home, instead it remains the same (i.e.
> > www.example.com/login).
>
> One important reason to do something like that is because you do not
> want the user to bookmark or otherwise pass on an url with completely
> ambiguous content -- /login should refer to the login page, /home should
> refer to the home page, they are two different things. Having /login
> refer to both is no good. So I think your desire is justified.
>
> IMO, this is best handled client-side: you return your login data via
> an AJAX call. If the login succeeds, the client loads /home. If the
> login has failed, the client displays a message to that effect. You
> need to prevent spoofed access to /home, but of course you have to do
> that anyway (via cookies or whatever method you are already using).
>
> --
> "Enthusiasm is not the enemy of the intellect." (said of Irving Howe)
> "The angel of history[...]is turned toward the past." (Walter Benjamin)
>
>

--
Your clothes may be the latest in style but you aint completely dressed
until you wear a smile!
Keep smiling : )

--bcaec53963943f3b1604a7d11c74
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Thanks Guys!!! I will go ahead with Redirect approach. I was more intereste=
d in building a generic framework for my application that would handle such=
scenarios (login was just one of them).

>
On Mon, Jul 11, 2011 at 12:42 PM, Szekeres, Edward < href=3D"mailto:Edward.Szekeres@perkinelmer.com">Edward.Szeke res@perkinelme=
r.com> wrote:

argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
It seems to be just an attempt to do what is already done in Apache2::AuthC=
ookie (CPAN), which encapsulates a server side authentication.

-----Original Message-----

From: MK [mailto:mk@cognitived=
issonance.ca]

Sent: Monday, July 11, 2011 3:37 PM

To: <=
br>

Subject: Re: Changing browser URL b=
ased on condition

On Mon, 11 Jul 2011 11:48:09 -0700

Jerry Pereira <online.jerry@gm=
ail.com> wrote:

> 1. User types the URL - blank">www.example.com, this will display the login

> page.

> 2. Once the user enters the credentials and hits submit, the request r>
> is posted to ">www.example.com/login action.

> 3. If the credentials entered by the user is valid then i would like r>
> to show the home page..uri

> 4. I am able to show the homw page, but the URL does not change to

> www.example.=
com/home, instead it remains the same (i.e.

> www.example=
..com/login).

One important reason to do something like that is because you do not

want the user to bookmark or otherwise pass on an url with completely

ambiguous content -- /login should refer to the login page, /home should >
refer to the home page, they are two different things. =A0Having /login

refer to both is no good. So I think your desire is justified.

IMO, this is best handled client-side: you return your login data via

an AJAX call. =A0If the login succeeds, the client loads /home. =A0If the r>
login has failed, the client displays a message to that effect. =A0 You

need to prevent spoofed access to /home, but of course you have to do

that anyway (via cookies or whatever method you are already using).

--

"Enthusiasm is not the enemy of the intellect." (said of Irving H=
owe)

"The angel of history[...]is turned toward the past." (Walter Ben=
jamin)

--
Your clothe=
s may be the latest in style but you aint completely dressed until you wear=
a smile!
Keep smiling : )

--bcaec53963943f3b1604a7d11c74--

RE: Changing browser URL based on condition

am 11.07.2011 22:42:23 von James.B.Muir

--_000_527C4914F1B2EA47B38422DE0FA05A650651BEE390DH201DHMCMa st_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I think you need to do a redirect. From within your mod_perl handler try so=
mething like this:

$r->content_type("text/plain");

$r->headers_out->set(Location=3D>$url);

return Apache2::Const::HTTP_TEMPORARY_REDIRECT;

From: Jerry Pereira [mailto:online.jerry@gmail.com]
Sent: Monday, July 11, 2011 2:48 PM
To: modperl@perl.apache.org
Subject: Changing browser URL based on condition

Hi All,

I would like to know if there is a way to change the URL displayed on
browser without using Redirect option. The URL visible on client browser
must be based on some condition that is evaluated in my mod_perl handler.

For example -

1. User types the URL - www.example.com, this will=
display the login page.
2. Once the user enters the credentials and hits submit, the request is
posted to www.example.com/login action.
3. If the credentials entered by the user is valid then i would like to sho=
w
the home page..uri
4. I am able to show the homw page, but the URL does not change to
www.example.com/home, instead it remains the s=
ame (i.e.
www.example.com/login). I am using Template t=
oolkit to render my pages. I
tried $req->url('/home'), but that does not change the browser URI.

Any help will be appreciated.

Thanks,
Jerry

IMPORTANT NOTICE REGARDING THIS ELECTRONIC MESSAGE:

This message is intended for the use of the person to whom it is addressed =
and may contain information that is privileged, confidential, and protected=
from disclosure under applicable law. If you are not the intended recipien=
t, your use of this message for any purpose is strictly prohibited. If you =
have received this communication in error, please delete the message and no=
tify the sender so that we may correct our records.

--_000_527C4914F1B2EA47B38422DE0FA05A650651BEE390DH201DHMCMa st_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:p=3D"urn:schemas-m=
icrosoft-com:office:powerpoint" xmlns:a=3D"urn:schemas-microsoft-com:office=
:access" xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s=3D"=
uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs=3D"urn:schemas-microsof=
t-com:rowset" xmlns:z=3D"#RowsetSchema" xmlns:b=3D"urn:schemas-microsoft-co=
m:office:publisher" xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadshee=
t" xmlns:c=3D"urn:schemas-microsoft-com:office:component:spread sheet" xmlns=
:odc=3D"urn:schemas-microsoft-com:office:odc" xmlns:oa=3D"urn:schemas-micro=
soft-com:office:activation" xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc=3D"http://m=
icrosoft.com/officenet/conferencing" xmlns:D=3D"DAV:" xmlns:Repl=3D"http://=
schemas.microsoft.com/repl/" xmlns:mt=3D"http://schemas.microsoft.com/share=
point/soap/meetings/" xmlns:x2=3D"http://schemas.microsoft.com/office/excel=
/2003/xml" xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" xmlns:ois=
=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir=3D"http://=
schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds=3D"http://www.w3=
..org/2000/09/xmldsig#" xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint=
/dsp" xmlns:udc=3D"http://schemas.microsoft.com/data/udc" xmlns:xsd=3D"http=
://www.w3.org/2001/XMLSchema" xmlns:sub=3D"http://schemas.microsoft.com/sha=
repoint/soap/2002/1/alerts/" xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"=
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" xmlns:sps=3D"http://=
schemas.microsoft.com/sharepoint/soap/" xmlns:xsi=3D"http://www.w3.org/2001=
/XMLSchema-instance" xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/so=
ap" xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile " xmlns:udc=
p2p=3D"http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf=3D"http:/=
/schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss=3D"http://sche=
mas.microsoft.com/office/2006/digsig-setup" xmlns:dssi=3D"http://schemas.mi=
crosoft.com/office/2006/digsig" xmlns:mdssi=3D"http://schemas.openxmlformat=
s.org/package/2006/digital-signature" xmlns:mver=3D"http://schemas.openxmlf=
ormats.org/markup-compatibility/2006" xmlns:m=3D"http://schemas.microsoft.c=
om/office/2004/12/omml" xmlns:mrels=3D"http://schemas.openxmlformats.org/pa=
ckage/2006/relationships" xmlns:spwp=3D"http://microsoft.com/sharepoint/web=
partpages" xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/service s/20=
06/types" xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/service s/200=
6/messages" xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/ Sli=
deLibrary/" xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPor tal=
Server/PublishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" xmlns:=
st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40">

>

libri","sans-serif";color:#1F497D">I think you need to do a =
redirect. From within your mod_perl handler try something like this: o:p>

libri","sans-serif";color:#1F497D"> <=
/p>

libri","sans-serif";color:#1F497D"> $r->=
;content_type("text/plain");

libri","sans-serif";color:#1F497D"> <=
/p>

libri","sans-serif";color:#1F497D"> $r->=
;headers_out->set(Location=3D>$url);

libri","sans-serif";color:#1F497D"> <=
/p>

libri","sans-serif";color:#1F497D"> return=
Apache2::Const::HTTP_TEMPORARY_REDIRECT;

libri","sans-serif";color:#1F497D"> <=
/p>

0in 0in">

Hi All,

For example -

Any help will be appreciated.

Thanks,

Jerry

IMPORTANT NOTICE REGARDIN=
G THIS ELECTRONIC MESSAGE:

This message is intended for the use of the person to whom it is addressed =
and may contain information that is privileged, confidential, and protected=
from disclosure under applicable law. If you are not the intended recipien=
t, your use of this message for
any purpose is strictly prohibited. If you have received this communicatio=
n in error, please delete the message and notify the sender so that we may =
correct our records.

--_000_527C4914F1B2EA47B38422DE0FA05A650651BEE390DH201DHMCMa st_--

Re: Changing browser URL based on condition

am 12.07.2011 07:16:17 von Octavian Rasnita

This is a multi-part message in MIME format.

------=_NextPart_000_0037_01CC406B.F9627780
Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable

From: Jerry Pereira=20

Thanks Guys!!! I will go ahead with Redirect approach. I was more =
interested in building a generic framework for my application that would =
handle such scenarios (login was just one of them).=20

Then, as somebody suggested, start using Catalyst framework. It will =
handle the authentication/authorization very easy, and you will be able =
to continue to use your app with mod_perl if you want that.
And of course, you will have many other good features in it.

Octavian

------=_NextPart_000_0037_01CC406B.F9627780
Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable

charset=3Diso-8859-1">

From: href=3D"mailto:online.jerry@gmail.com">Jerry Pereira

style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">

Thanks Guys!!! I will go ahead with Redirect approach. I was more =

interested in building a generic framework for my application that =
would=20
handle such scenarios (login was just one of them).

Then, as somebody suggested, start =
using Catalyst=20
framework. It will handle the authentication/authorization very easy, =
and you=20
will be able to continue to use your app with mod_perl if you want=20
that.

And of course, you will have many =
other good=20
features in it.

Octavian

size=3D2>

------=_NextPart_000_0037_01CC406B.F9627780--

Authentication logic [was: Changing browser URL based on condition]

am 12.07.2011 14:45:28 von Vincent Veyron

Hi list,

In a recent thread, this exchange took place :

Le lundi 11 juillet 2011 à 21:54 +0200, André Warnier a écrit :

> Szekeres, Edward wrote:
> > It seems to be just an attempt to do what is already done in Apache2::AuthCookie (CPAN), which encapsulates a server side authentication.
> >
> >
> +1
> Exactly.
> And I would add that before you start trying to implement you own authentication logic,
> you should really think twice. HTTP authentication is a lot more messy than what you
> would at first think, and you should first have a look at some existing CPAN modules like
> the one mentioned above, and browse the code to understand what they are doing and why. Or
> just use them, they work.
>

I've been meaning to ask a related question to the list for a while. My
logic for session authentication is thus:

Login is handled by login.pm which checks username/password pair against
database.

if ( valid pair ) { set session_id and time_to_live; set
cookie=session_id; store session_id and some parameters in a file via
Storable.pm; redirect to Home page } else { serve login again }

For all requests except login :

1 - Headerparser retrieves the session_id via the cookie, and reads the
session file.
If ( session_id is unknown or time_to_live exceeded ) then { serve
login } else { serve requested page }

2 - perlhandler generates content

3 - Filter processes content and resets time_to_live of session, stores
it back in file

The relevant modules are visible here :
login : http://vincentveyron.com/tmp/login.pm
headerparser : http://vincentveyron.com/tmp/get_session_id.pm
filter : http://vincentveyron.com/tmp/html_head_and_tail.pm

My questions :

-Is there anything wrong with my process?

-What does Apache2::AuthCookie do that I don't already have?

--
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

am 13.07.2011 19:19:32 von Perrin Harkins

On Tue, Jul 12, 2011 at 8:45 AM, Vincent Veyron wrote:
> -Is there anything wrong with my process?

If it's working for you, then it sounds fine. Needing to invoke
mod_perl on every hit could be bad if you're trying to protect a lot
of otherwise static pages, but it doesn't sound like you are. The
file storage of sessions is also limiting (i.e. no clustering), but if
you aren't having trouble with it, no need to change it.

> -What does Apache2::AuthCookie do that I don't already have?

It might have better cookie security. Mostly it's just the general
advantage of using shared open source code over in-house code that has
no other users improving and debugging it.

- Perrin

Re: Authentication logic [was: Changing browser URL based oncondition]

am 14.07.2011 17:21:52 von Vincent Veyron

Le mercredi 13 juillet 2011 à 13:19 -0400, Perrin Harkins a écrit :
> On Tue, Jul 12, 2011 at 8:45 AM, Vincent Veyron wrote:
> > -Is there anything wrong with my process?
>
> If it's working for you, then it sounds fine. Needing to invoke
> mod_perl on every hit could be bad if you're trying to protect a lot
> of otherwise static pages, but it doesn't sound like you are.

Indeed, all pages are dynamic; this is a case management app, so every
page requires queries from the database

> The
> file storage of sessions is also limiting (i.e. no clustering), but if
> you aren't having trouble with it, no need to change it.
>

My needs are very modest for the time being, so I did not investigate
this part at all, I must say.

Could you explain (very briefly) how clustering prevents file storage of
a session?

> > -What does Apache2::AuthCookie do that I don't already have?
> It might have better cookie security.
> Mostly it's just the general
> advantage of using shared open source code over in-house code that has
> no other users improving and debugging it.

Well, I'll look into it more. Thanks for your input.

--
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

am 14.07.2011 17:34:40 von Perrin Harkins

On Thu, Jul 14, 2011 at 11:21 AM, Vincent Veyron wrote:
> Could you explain (very briefly) how clustering prevents file storage of
> a session?

A cluster in this case means multiple servers, so they don't share a
filesystem. There are ways to share files of course, but the common
solution is to put your session data in a database with remote access.

- Perrin

Re: Authentication logic [was: Changing browser URL based oncondition]

am 14.07.2011 18:57:10 von Vincent Veyron

Le jeudi 14 juillet 2011 à 11:34 -0400, Perrin Harkins a écrit :
> On Thu, Jul 14, 2011 at 11:21 AM, Vincent Veyron wrote:
> > Could you explain (very briefly) how clustering prevents file storage of
> > a session?
>
> A cluster in this case means multiple servers, so they don't share a
> filesystem. There are ways to share files of course, but the common
> solution is to put your session data in a database with remote access.
>

This is what I first did, using Apache::Session. But I noticed the call
to tie was very slow (response time around 70ms with it, 15ms without
it), so I changed for Storable because filesystem reads were much
faster.

Also, I did not find how to store a hash in the database without tie. I
read it's possible to use Data::Dumper to write the data in a field and
read it as Perl code. Would that be a way to do it?

--
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

am 14.07.2011 19:02:33 von mpeters

On 07/14/2011 12:57 PM, Vincent Veyron wrote:

> This is what I first did, using Apache::Session. But I noticed the call
> to tie was very slow (response time around 70ms with it, 15ms without
> it), so I changed for Storable because filesystem reads were much
> faster.

I don't personally like Apache::Session because of the tie thing, but
that's more an interface preference than anything else.

> Also, I did not find how to store a hash in the database without tie. I
> read it's possible to use Data::Dumper to write the data in a field and
> read it as Perl code. Would that be a way to do it?

The same way you're doing it now with Storable and a file. But instead
of reading a file you read a database field.

--
Michael Peters
Plus Three, LP

Re: Authentication logic [was: Changing browser URL based oncondition]

am 14.07.2011 21:15:01 von Vincent Veyron

Le jeudi 14 juillet 2011 à 13:02 -0400, Michael Peters a écrit :
> On 07/14/2011 12:57 PM, Vincent Veyron wrote:

> > Also, I did not find how to store a hash in the database without tie. I
> > read it's possible to use Data::Dumper to write the data in a field and
> > read it as Perl code. Would that be a way to do it?
>
> The same way you're doing it now with Storable and a file. But instead
> of reading a file you read a database field.
>

OK, I must have missed it in the doc, I'll look again.

Thank you

--
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

am 15.07.2011 23:59:45 von Perrin Harkins

On Thu, Jul 14, 2011 at 3:15 PM, Vincent Veyron wrote:
> OK, I must have missed it in the doc, I'll look again.

I think you're misunderstand. Storable doesn't do this for you. The
idea is you could capture the session in a variable and write that to
a database.

If you'd rather not roll your own but you don't like the
Apache::Session API, look at other stuff on CPAN like CGI::Session.

- Perrin

Re: Authentication logic [was: Changing browser URL based oncondition]

am 16.07.2011 19:01:49 von Vincent Veyron

Le vendredi 15 juillet 2011 à 17:59 -0400, Perrin Harkins a écrit :

> I think you're misunderstand. Storable doesn't do this for you. The
> idea is you could capture the session in a variable and write that to
> a database.
>

Let me explain; I used to do :

tie %session, 'Apache::Session::Postgres', $session_id, {...};

and then

$r->pnotes('session' => \%session);

$session_id is taken from the cookie, %session stores several
parameters/variables.

As I said, I replaced the call to tie with :

$r->pnotes('session' => Storable::retrieve($session_file));

where $session_file again is retrieved from the cookie.

What I can't find out is : how do I store %session into a database
without using tie??

--
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

am 17.07.2011 03:06:02 von Perrin Harkins

On Sat, Jul 16, 2011 at 1:01 PM, Vincent Veyron wrote:
> As I said, I replaced the call to tie with :
>
> $r->pnotes('session' => Storable::retrieve($session_file));
>
> where $session_file again is retrieved from the cookie.
>
> What I can't find out is : how do I store %session into a database
> without using tie??

That's what I'm trying to explain. You can either use the Storable
API to put your session into a string, and then write to a database
using standard DBI, or you can use a pre-built tool like CGI::Session.

To serialize your session to a string, you can do something like this:
use Storable qw(nfreeze);
$serialized = nfreeze \%session;

See the Storable docs for more.

- Perrin

Re: Authentication logic [was: Changing browser URL based on condition]

am 17.07.2011 07:16:09 von Phil Van

--0016364172d900e12104a83cfbbe
Content-Type: text/plain; charset=ISO-8859-1

Back to Vincent's original request about session id and login: how secure is
your session id? Have you signed it? If not, someone can try to sending
random IDs and break your authentication.

Well, if you sign it and sign it properly, you basically end up with the
same idea in those "Authen + Ticket + Gate" CPAN modules. Besides a time
stamp, you should also sign with user's IP. If the cookie is stolen, the
origin of IP may protect as the last hope.

(if you are using https, then all the above procedures do not matter)

The second idea is that you may not need to store session on the server at
all: if the information in the session is merely user information such as
user id, name, email etc., you can concatenate them into the cookie value
(again, sign it). So the next time the user visits, you automatically get
those information back from the cookie.

Cheers.

On Sat, Jul 16, 2011 at 6:06 PM, Perrin Harkins wrote:

> On Sat, Jul 16, 2011 at 1:01 PM, Vincent Veyron
> wrote:
> > As I said, I replaced the call to tie with :
> >
> > $r->pnotes('session' => Storable::retrieve($session_file));
> >
> > where $session_file again is retrieved from the cookie.
> >
> > What I can't find out is : how do I store %session into a database
> > without using tie??
>
> That's what I'm trying to explain. You can either use the Storable
> API to put your session into a string, and then write to a database
> using standard DBI, or you can use a pre-built tool like CGI::Session.
>
> To serialize your session to a string, you can do something like this:
> use Storable qw(nfreeze);
> $serialized = nfreeze \%session;
>
> See the Storable docs for more.
>
> - Perrin
>

--0016364172d900e12104a83cfbbe
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Back to Vincent's original request about session id and login: how secu=
re is your session id? Have you signed it? If not, someone can try to sendi=
ng random IDs and break your authentication.

Well, if you sign it a=
nd sign it properly, you basically end up with the same idea in those "=
;Authen + Ticket + Gate" CPAN modules. Besides a time stamp, you shoul=
d also sign with user's IP.=A0 If the cookie is stolen, the origin of I=
P may protect as the last hope.

(if you are using https, then all the above procedures do not matter) r>
The second idea is that you may not need to store session on the serv=
er at all: if the information in the session is merely user information suc=
h as user id, name, email etc., you can concatenate them into the cookie va=
lue (again, sign it). So the next time the user visits, you automatically g=
et those information back from the cookie.

Cheers.

On Sat, Jul 16, 2011 at 6=
:06 PM, Perrin Harkins < com">perrin@elem.com> wrote:

ote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex=
;">

On Sat, Jul 16, 2011 at 1:01 PM, Vincent Veyron < ef=3D"mailto:vv.lists@wanadoo.fr">vv.lists@wanadoo.fr> wrote:

> As I said, I replaced the call to tie with :

>

> $r->pnotes('session' =3D> Storable::retrieve($session_fi=
le));

>

> where $session_file again is retrieved from the cookie.

>

> What I can't find out is : how do I store %session into a database=

> without using tie??

That's what I'm trying to explain. =A0You can either use the =
Storable

API to put your session into a string, and then write to a database

using standard DBI, or you can use a pre-built tool like CGI::Session.

To serialize your session to a string, you can do something like this:

use Storable qw(nfreeze);

$serialized =3D nfreeze \%session;

See the Storable docs for more.

- Perrin

--0016364172d900e12104a83cfbbe--

Re: Authentication logic [was: Changing browser URL based oncondition]

am 17.07.2011 11:12:13 von Vincent Veyron

Le samedi 16 juillet 2011 à 21:06 -0400, Perrin Harkins a écrit :
> On Sat, Jul 16, 2011 at 1:01 PM, Vincent Veyron wrote:

> To serialize your session to a string, you can do something like this:
> use Storable qw(nfreeze);
> $serialized = nfreeze \%session;
>

I see the light!

Thanks a bunch for taking the time to explain.

--
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based oncondition]

am 17.07.2011 12:37:13 von Vincent Veyron

Le samedi 16 juillet 2011 à 22:16 -0700, Phil Van a écrit :
> Back to Vincent's original request about session id and login:

> (if you are using https, then all the above procedures do not matter)
>

It's via https, yes.

> The second idea is that you may not need to store session on the
> server at all: if the information in the session is merely user
> information such as user id, name, email etc., you can concatenate
> them into the cookie value (again, sign it). So the next time the user
> visits, you automatically get those information back from the cookie.

I am trying to avoid this, actually : the cookie only holds the session
id for retrieval. The hash stored on the server holds various parameters
for the user's session.

Very convenient for customization. For instance, I'm using it to store
field headers, which the client can then set to his liking.

--
Vincent Veyron
http://marica.fr/
Logiciel de gestion des sinistres et des contentieux pour le service juridique

Re: Authentication logic [was: Changing browser URL based on condition]

am 17.07.2011 15:21:31 von Adam Prime

On 7/17/2011 1:16 AM, Phil Van wrote:
> Back to Vincent's original request about session id and login: how
> secure is your session id? Have you signed it? If not, someone can try
> to sending random IDs and break your authentication.
>
> Well, if you sign it and sign it properly, you basically end up with the
> same idea in those "Authen + Ticket + Gate" CPAN modules. Besides a time
> stamp, you should also sign with user's IP. If the cookie is stolen,
> the origin of IP may protect as the last hope.

Tying a session to an IP can be bad if you use a CDN, or you have
clients that are behind big multihomed transparent proxies. AOL users
in particular used to come from various IP's during a single session.

Adam

Re: Changing browser URL based on condition

am 27.07.2011 13:11:52 von unknown

2011-07-11 20:48, Jerry Pereira wrote:
> Hi All,
>
> I would like to know if there is a way to change the URL displayed on
> browser without using Redirect option. The URL visible on client browser
> must be based on some condition that is evaluated in my mod_perl handler.
>
> For example -
>
> 1. User types the URL - www.example.com , this will display the login page.
> 2. Once the user enters the credentials and hits submit, the request is
> posted to www.example.com/login action.
> 3. If the credentials entered by the user is valid then i would like to show
> the home page..uri
> 4. I am able to show the homw page, but the URL does not change to
> www.example.com/home , instead it remains the same (i.e.
> www.example.com/login ). I am using Template toolkit to render my pages. I
> tried $req->url('/home'), but that does not change the browser URI.
>
> Any help will be appreciated.

Telling the browser to fudge the URL is a client side thing. There is support for this in HTML5, with varying support in different browsers.

One starting point could be this:
http://stackoverflow.com/questions/4015613/good-tutorial-for -using-html5-history-api-pushstate

--
Mårten Svantesson
Senior Developer
Travelocity Nordic
+46 (0)8 505 787 23

Re: Changing browser URL based on condition

am 29.07.2011 07:14:54 von Randolf Richardson

[sNip]
> Telling the browser to fudge the URL is a client side thing. There is support for this in HTML5, with varying support in different browsers.
[sNip]

I really hope the hostname portion is excluded from this; if not,
then the world will be hit by a whole new set of scams. =(

Do you happen to know if the HTML5 standards limit this?

Randolf Richardson - randolf@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
http://www.inter-corporate.com