Tags:
create new tag
view all tags

Question

It might be cgiwrap is unrelated to this problem with SessionPlugin, but i don't know. The problem is that SessionPlugin does not create/user a session after logging in.

In a cgiwrap environment, I cannot put .htaccess in the cgi-bin directory. I've found a login workaround by putting an file in a web directory that is protected by .htaccess. That file is a 'virtual include' of the twiki/bin/view file. index.shtml has just this: 

<!--#include
virtual="/cgiwrap/polsgrad/twiki/view" -->
That forces a login, and the login works and users can edit IF in TWiki.cfg I set doRememberRemoteUser 1

The problem, however, is that the remoteusers.txt permanently remembers IP numbers, and even after a user logs out and another logs in, the TWiki will allow that user to edit pages without authenticating again because the IP and old user name are remembered.

So I heard about SessionPlugin and am trying that. I found this from the SmartSessionPlugin page on twiki.org. I changed my shtml file in the htaccess protected directory: 

<!--#include
virtual="/cgiwrap/polsgrad/twiki/logon" -->
<!--#include
virtual="/cgiwrap/polsgrad/twiki/view" -->
After setting

doRememberRemoteUser 0

Then users who go to this protected page are forced to log in. And, of course, there's no more security trouble. But sessions don't work.

I believe the Session.pm is getting called when I log in, because I had a devil of a time getting the CGI::Session module installed in a place where it could be found, and as a result I was getting a warnings.txt file full of messages about SessionPlugin not finding CGI/Session.pm. I think that problem is resolved. I'm not the system admin, so I did the thing to build the CGI/Session module in ~/user_perl, and it installed it in a subdir like ~/user_perl/lib/perl5/site_perl/5.8.3/CGI, and SessionPlugin kept saying it could not find Session.pm. That stopped happening after I copied the CGI module directory directly into ~/user_perl/CGI. Anyway, there are no more warnings.

Now I can log in and the initial view of my page does show that it converts %WIKIUSER% to my user name. But it only works on that first page, and if I go to other pages, it says I'm TWikiUser.

In the system's /tmp directory, I do not find any files owned by me.

The TWiki where I'm trying SessionPlugin is here:

www.ku.edu/cgiwrap/polsgrad/twiki/view

The testenv output for my page can be viewed here:

www.ku.edu/cgiwrap/polsgrad/twiki/testenv

You will note that, under cgiwrap, the programs and web server run as my user name, not nobody or root.

So I could user some help on step-by-step debugging.

Environment

TWiki version: TWikiRelease01Sep2004
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin,Plugins.SessionPlugin
Server OS: Digital/Compact Unix OSF1 v4
Web server: apache
Perl version: 5.8.3
Client OS: Linux
Web Browser: Mozilla

-- PaulJohnson - 26 Sep 2004

Answer

I didn't get any feedback after I posted this note, but I kept trying and have some progress to report.

The first step was to get the newest copy of the SessionPlugin.zip file, which was posted Sept. 29, 2004. If you look at SmartSessionPlugin, you see the current edition is v2.122, whereas the SmartSessionPlugin I was trying with before had a version number that had a decimal starting with .9. The new one gives more informative messages to twiki/data/warning.txt, so you can actually see that the SessionPlugin is being accessed.

Second, I continued with the approach described above, with a virtual include pointing at the twiki cgi-bin/logon file, and the html file holding the virtual include is protected by .htaccess. That shtml file just has: 

<!--#include
virtual="/cgiwrap/polsgrad/twiki/logon" -->

So users get a login request, and then get sent to the logon script.

The only problem is that a blank screen appears after the logon script is run. Apparently, there's some slippage between the web info conveyed to the logon script when it is reached via a virtual include. it appears to me that TWikiRedirect() just doesn't understand the info it gets from this method.

So here's my work around. At the end of the logon script, I inserted code to create an html page to the browser, and when the user clicks the "go ahead", then it hits the logon script again, this time it hits it 'directly' without relying on the virtual include. That is the magic, because after that authentication works as SessionPlugin docs say.

Here's what I mean about adding some glop on the end of logon. If there is a better way, please let me know. 

#here's the end of logon:
   &TWiki::redirect( $query, $url );
# here is my new bit to make a page show. Note this calls the logon script in the 
# way that cgiwrap wants, rather than the indirect way described above.  
    print $query->start_html(-title=>'KUPS Login Completion',-author=>'pauljohn@ku.edu',
     -meta=>{'description'=>'Session authentication for TWiki via CGIwrap'});
   
    print qq[<a href="http://www.ku.edu/cgiwrap/kups/twiki/logon">
          Click here to finish login process</a>];

    print $query->end_html();
}

If someone can explain to me why this even works, I'd be glad.

-- PaulJohnson - 06 Oct 2004

WebForm
SupportStatus ClosedUnanswered
Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2020-04-26 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.