perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Moseley <mose...@hank.org>
Subject Re: Ways to scale a mod_perl site
Date Sat, 19 Sep 2009 22:31:09 GMT
On Sat, Sep 19, 2009 at 11:43 AM, Tina Müller <apache@s05.tinita.de> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 18 Sep 2009, Igor Chudov wrote:
>
>  On Fri, Sep 18, 2009 at 10:13 AM, Tina Mueller <apache@s05.tinita.de>
>> wrote:
>>
>> > How does the user invalidate that "session"? (in case the cookie leaked
>> > or something like that). Or how can the website owner log out a certain
>> > user?
>> >
>>
>> Same way you do with a table: when the user logs out, you update their
>> cookie to a new one, where "userid" is not set.
>>
>
> That doesn't invalidate the cookie.
> It resets the cookie in the browser, but the string itself is still a valid
> session and can be reused.
>

That's why you have an expires time in the cookie data.  Each request you
check and extend.  Then if you see one that's past the expires time you
require authentication again.

"Logged out" is a fuzzy concept.  If it means the user must provide
credentials again then you flag logged out in the cookie and then it will
appear to the user that they are logged out.  Sure, if they copy the cookie
some place, log out, then they can use the cookie again seemingly w/o
logging in.  But it's just an appearance.    Logging in just means you have
provided the credentials and given them a tempoary token (the cookie) that
says they don't need to re-authenticate every request.  It's a free pass for
the time allowed (regardless of the log out).

If you have much more stict business needs around "logging out" or a way to
imeadiately disable a user then you need to track that elsewhere -- set a
flag in memcached or use the db.



> Since there is nothing stored about it server side the server just gets
> the session string from the client and doesn't care (doesn't know) if
> any browser "logged out".
>
> And storing the IP in the session wouldn't work for users that get a
> new IP very often. On the other hand, several users might have the
> same IP in the view of the server.


Right, IPs are not much good.  I use them sometimes to force a captcha if
too many failed logins come from the same IP.


-- 
Bill Moseley
moseley@hank.org

Mime
View raw message