[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-modperl
Subject: Re: AuthCookieDBI and Apache 2.4
From: "Edward J. Sabol" <edwardjsabol () gmail ! com>
Date: 2019-10-24 19:26:28
Message-ID: 4DF25861-9B25-40D0-B281-8C98096927E7 () gmail ! com
[Download RAW message or body]
On Oct 20, 2019, at 7:35 PM, Edward J. Sabol <edwardjsabol@gmail.com> wrote:
> I've successfully ported Apache2::AuthCookieDBI's group
> authorization to work with Apache 2.4.x. It works on my system, and I am
> now looking at submitting a pull request on GitHub for this issue.
In case anyone is interested:
https://github.com/matisse/Apache-AuthCookieDBI/pull/6
https://github.com/esabol/Apache-AuthCookieDBI/blob/apache-2.4.x-support/lib/Apache2_4/AuthCookieDBI.pm
I could still use answers to the following questions:
> [...] what's the best way to determine the Apache version in
> non-testsuite code? Should I use Apache::Test's have_min_apache_version()
> regardless?
>
> Apache2::AuthCookieDBI stashes the valid/authorized group in
> $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') so that higher-level interface
> code can reference it. To eliminate multiple database queries for the same
> request (at one point, I was seeing 4+ requests per request since the URL
> was a directory and Apache was authz'ing the directory and then the
> index.html in that directory), I was wondering if checking for the presence
> of $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') and using that instead of
> querying the database again was secure? It all seems to work in my testing
> and it drastically cuts down on repeated database queries, but I'm worried I
> might be doing something insecure.
Thanks,
Ed
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic