perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Mixed Children on amd64
Date Wed, 22 Sep 2010 00:29:52 GMT
Vincent Veyron wrote:
...

> 
>> , of which only one is HTTPS, you could run it all in 
>> one single Apache instance.  It is no problem to run a single VirtualHost as a HTTPS
host 
>>   on its own port 443, and other multiple HTTP VirtualHost's on port 80.
>> The problem is only when you want to run several HTTPS hosts.
>>
> 
> This sounds like what I'm doing now? You do need two httpd processes,
> one that listens on port 80, the other on port 443.
>

No you don't. If in one Apache you say
Listen 80
Listen 443

and it will listen to both ports.
And then you can say

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName A
..
</VirtualHost>
<VirtualHost *:80>
   ServerName B
..
</VirtualHost>
...
NameVirtualHost *:443
<VirtualHost *:443>
   ServerName C
..
</VirtualHost>
(but only once, for HTTPS; the reason for that is longer to explain).

  ...
Sorry, really analysing the code is a bit beyond my commitment. I am just trying to give 
you ideas of what to look for.
And to discourage you from looking in the wrong direction, because the idea that 2 Apache

processes could be mixing their data sounds really far-fetched to me.

> 
>> Maybe one thing you could do, since these are two servers with a separate configuration,

>> is at least to change the name of the cookie in one of them (for example, name it

>> "secure-session" in the secure server).  That would make them 2 separate cookies,
and 
>> maybe avoid the confusion (or show the problem right away, by popping up a login
page as 
>> soon as they click the "bad" link).
>>
> Even supposing a bad link exists, the browser always sends the same cookie, regardless
of whether it's using http or https.
> 
Yes, and that is what I mean.  Whether users stray through the secure or non-secure site,

there is only ever one cookie.  And if it is not marked secure, the browser will send that

same cookie, no matter which site the users link to.  And the server receiving the cookie,

at least in the authentication part of the code, will not see the diference, and will let

them in as long as for the session referenced in the cookie, there is a valid record in 
the database.  So IF users would go from one server to the other, you would probably never

know, because they will not be stopped from doing that.
And that could certainly be a good reason why some users see demo data some time, instead

of theirs.

I am not saying that it /is/ the problem.  What I am saying is that if you had a different

cookie name for each site (which should be easy to do), then for sure the above could not

happen, and you could eliminate one area from your search.

Be humble. On one side, there is Apache code, which is extensively tested and running on 
hundreds of thousands of sites.  On the other side, there is your code, which runs on just

a few sites.  If there is a problem somewhere, where is it most likely to be ?

Mime
View raw message