httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig Dunigan <>
Subject RE: [users@httpd] Automatic script execution whenever a directory is referenced
Date Wed, 25 May 2005 14:22:06 GMT
On Wed, 25 May 2005 wrote:

> Re-posting by request...
> -----Original Message-----
> From: Drew.Shelton@SEMATECH.Org [mailto:Drew.Shelton@SEMATECH.Org]
> Sent: Tuesday, May 24, 2005 12:48 PM
> To:
> Subject: RE: [users@httpd] Automatic script execution whenever a
> directory is referenced
> [snip]
> Craig,
> >Owen's last point is the key one.  You should use some form of session
> >management to do this, and there are many options for that.  For your "CGI"
> >idea, you'll need to write your own authentication handler for files in that
> >directory, written as a module, of course.  At that point, session management
> >starts to look a whole lot easier.
> Thanks, Craig.  I'm a newbie to Apache, but I've written a script that already
> functions as an "authentication handler" when I point my browser directly to it.
> The problem was to get it invoked automatically before any other files.  I was
> not expecting to write a module.  Judging from that and from the technical
> detail you supplied, I don't think I should go there just yet.
> I have no idea what "session management" is.  Where can I find info on that?
> >[Warning!  Nitpicky technical details follow!]  
> [snip]
> Thanks again,
> Drew

Thanks, Drew.  One of these days I'll stop deleting emails I mean to reply to.  
Don't hold your breath, though.

Session management in this context means maintaining state even though HTTP is a
stateless protocol.  That means something on the server side has to assign a
unique session ID of some kind to each incoming connection and keep a persistent
store of variables (the session "state") associated with that ID, and the client
has to have some way of receiving that session ID and resubmitting it with each
request.  This is usually handled with a cookie that contains the session ID and
state, although sometimes the state is maintained (usually in a database) on the
server side, to prevent client tampering.  When connected with authN/authZ, it
also means that the server must verify that cookie in some way before allowing
access, and know to re-authenticate the browser when the session is expired.  
Using session management often means writing your own code, but there are some
pre-made packages that can do simple stuff via httpd.conf only.  Which one you 
use kind of depends on which scripting language you're most comfortable with.  
Try Googling for "apache session <language name>", or just "apache session" if 
you want to see all of what's out there.  Some things I know of off the top of 
my head are Apache::SessionManager (perl) and pubcookie, although the latter 
might be overkill for your situation.



The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message