[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modperl
Subject:    Re: AuthCookieDBI and Apache 2.4
From:       "Edward J. Sabol" <edwardjsabol () gmail ! com>
Date:       2019-10-24 19:26:28
Message-ID: 4DF25861-9B25-40D0-B281-8C98096927E7 () gmail ! com
[Download RAW message or body]

On Oct 20, 2019, at 7:35 PM, Edward J. Sabol <edwardjsabol@gmail.com> wrote:
> I've successfully ported Apache2::AuthCookieDBI's group
> authorization to work with Apache 2.4.x. It works on my system, and I am
> now looking at submitting a pull request on GitHub for this issue.

In case anyone is interested:
https://github.com/matisse/Apache-AuthCookieDBI/pull/6
https://github.com/esabol/Apache-AuthCookieDBI/blob/apache-2.4.x-support/lib/Apache2_4/AuthCookieDBI.pm

I could still use answers to the following questions:

> [...] what's the best way to determine the Apache version in
> non-testsuite code? Should I use Apache::Test's have_min_apache_version()
> regardless?
> 
> Apache2::AuthCookieDBI stashes the valid/authorized group in
> $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') so that higher-level interface
> code can reference it. To eliminate multiple database queries for the same
> request (at one point, I was seeing 4+ requests per request since the URL
> was a directory and Apache was authz'ing the directory and then the
> index.html in that directory), I was wondering if checking for the presence
> of $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') and using that instead of
> querying the database again was secure? It all seems to work in my testing
> and it drastically cuts down on repeated database queries, but I'm worried I
> might be doing something insecure.

Thanks,
Ed

[prev in list] [next in list] [prev in thread] [next in thread]