From: Colm D. <col...@gm...> - 2005-04-20 01:54:03
|
Hi list, I am trying to implement a webmin module whereby there is an inactivity timeout on the user session. I can't seem to find any documentation of how I do this in the docs or in the list archives but I guess I must have missed this. I have been poking arond in miniserv.pl (from Webmin 1.020) and I found something that seems to do exactly what I want : $session_id =3D $2; print $PASSINw "verify $session_id\n"; <$PASSOUTr> =3D~ /(\d+)\s+(\S+)/; if ($1 =3D=3D 2) { # Valid session continuation $validated =3D 1; $authuser =3D $2; $already_session_id =3D $session_id; $already_authuser =3D $authuser; } elsif ($1 =3D=3D 1) { # Session timed out $timed_out =3D $2; } else { # Invalid session ID .. don't set verified } } So if <PASSOUTr> were to have a value of "1 300" (say) it seems to me that I would get taken to the login page with a message telling me I have to login again because I've been inactive for 5mins. Great - that is exactly what I want. My question is how can I trigger the timeout from a CGI script, I see that PASSOUTr is a pipe but its not clear to me if or how I can write to it from a CGI script. Bascally, how can I use this functionality without hacking miniserv,pl? Also, is there a way that I can make it so that when the user confirms their details from a timed out session they can use the same cookie afterwards and not set a new cookie - perhaps it already works this way, not sure. Perhaps this funcionality is not supported any more or something but I'd appreciate any advice people can give me on how I can do this, I don't mind patching miniserv,pl if that is necessary. Thanks, Colm |
From: Jamie C. <jca...@we...> - 2005-04-20 04:02:00
|
On Wed, 2005-04-20 at 11:53, Colm Dougan wrote: > Hi list, > > I am trying to implement a webmin module whereby there is an > inactivity timeout on the user session. I can't seem to find any > documentation of how I do this in the docs or in the list archives but > I guess I must have missed this. > > I have been poking arond in miniserv.pl (from Webmin 1.020) and I > found something that seems to do exactly what I want : > > $session_id = $2; > print $PASSINw "verify $session_id\n"; > <$PASSOUTr> =~ /(\d+)\s+(\S+)/; > if ($1 == 2) { > # Valid session continuation > $validated = 1; > $authuser = $2; > $already_session_id = $session_id; > $already_authuser = $authuser; > } > elsif ($1 == 1) { > # Session timed out > $timed_out = $2; > } > else { > # Invalid session ID .. don't set verified > } > } > > So if <PASSOUTr> were to have a value of "1 300" (say) it seems to me > that I would get taken to the login page with a message telling me I > have to login again because I've been inactive for 5mins. Great - > that is exactly what I want. > > My question is how can I trigger the timeout from a CGI script, I see > that PASSOUTr is a pipe but its not clear to me if or how I can write > to it from a CGI script. Bascally, how can I use this functionality > without hacking miniserv,pl? > > Also, is there a way that I can make it so that when the user confirms > their details from a timed out session they can use the same cookie > afterwards and not set a new cookie - perhaps it already works this > way, not sure. > > Perhaps this funcionality is not supported any more or something but > I'd appreciate any advice people can give me on how I can do this, I > don't mind patching miniserv,pl if that is necessary. There is no way to access those pipes or the session database from a CGI script - they are internal to miniserv.pl, and used solely for communication between the master process and sub-processes. You could hack miniserv.pl to behave differently, but that would make your module dependent on a non-standard part of Webmin. What change are you trying to make exactly? I may be able to suggest a better solution .. - Jamie |
From: Colm D. <col...@gm...> - 2005-04-20 11:03:02
|
On 20 Apr 2005 14:01:37 +1000, Jamie Cameron <jca...@we...> wrote: > On Wed, 2005-04-20 at 11:53, Colm Dougan wrote: > > Hi list, > > > > I am trying to implement a webmin module whereby there is an > > inactivity timeout on the user session. I can't seem to find any > > documentation of how I do this in the docs or in the list archives but > > I guess I must have missed this. .... > > Perhaps this funcionality is not supported any more or something but > > I'd appreciate any advice people can give me on how I can do this, I > > don't mind patching miniserv,pl if that is necessary. >=20 > There is no way to access those pipes or the session database from a CGI > script - they are internal to miniserv.pl, and used solely for > communication between the master process and sub-processes. You could > hack miniserv.pl to behave differently, but that would make your module > dependent on a non-standard part of Webmin. >=20 > What change are you trying to make exactly? I may be able to suggest a > better solution .. Not sure exactly, I was considering having my CGI process create a file somewhere called "${sessionid}.expired" with the timeout in it.=20 Then I was going to change the piece of code I mentioned earlier in miniserv.pl to use this in that section. I'd love to hear any other suggestions you have, Having thought about it some more I think maybe I'm missing something - is the session timeout something that already "just works" or was I initially right in thinking that it was not a supported feature i.e. can you clarify if there already is a standard way to use this and maybe I can warp my thinking to that instead. Thanks, Colm |
From: Jamie C. <jca...@we...> - 2005-04-20 11:16:37
|
On Wed, 2005-04-20 at 21:02, Colm Dougan wrote: > On 20 Apr 2005 14:01:37 +1000, Jamie Cameron <jca...@we...> wrote: > > On Wed, 2005-04-20 at 11:53, Colm Dougan wrote: > > > Hi list, > > > > > > I am trying to implement a webmin module whereby there is an > > > inactivity timeout on the user session. I can't seem to find any > > > documentation of how I do this in the docs or in the list archives but > > > I guess I must have missed this. > > .... > > > > Perhaps this funcionality is not supported any more or something but > > > I'd appreciate any advice people can give me on how I can do this, I > > > don't mind patching miniserv,pl if that is necessary. > > > > There is no way to access those pipes or the session database from a CGI > > script - they are internal to miniserv.pl, and used solely for > > communication between the master process and sub-processes. You could > > hack miniserv.pl to behave differently, but that would make your module > > dependent on a non-standard part of Webmin. > > > > What change are you trying to make exactly? I may be able to suggest a > > better solution .. > > Not sure exactly, I was considering having my CGI process create a > file somewhere called "${sessionid}.expired" with the timeout in it. > Then I was going to change the piece of code I mentioned earlier in > miniserv.pl to use this in that section. I'd love to hear any other > suggestions you have, > > Having thought about it some more I think maybe I'm missing something > - is the session timeout something that already "just works" or was I > initially right in thinking that it was not a supported feature i.e. > can you clarify if there already is a standard way to use this and > maybe I can warp my thinking to that instead. The session timeout is already enforced by Webmin for all modules, and can be configured in the Webmin Configuration module under Authentication. So there isn't really any need to implement your own timeout, unless you want to do something special like adjust it on a per-module basis .. - Jamie |
From: Colm D. <col...@gm...> - 2005-04-20 11:40:33
|
On 20 Apr 2005 21:16:20 +1000, Jamie Cameron <jca...@we...> wrote: > On Wed, 2005-04-20 at 21:02, Colm Dougan wrote: > > On 20 Apr 2005 14:01:37 +1000, Jamie Cameron <jca...@we...> wrot= e: > > > On Wed, 2005-04-20 at 11:53, Colm Dougan wrote: > > > > Hi list, > > > > > > > > I am trying to implement a webmin module whereby there is an > > > > inactivity timeout on the user session. I can't seem to find any > > > > documentation of how I do this in the docs or in the list archives = but > > > > I guess I must have missed this. > > > > .... > > > > > > Perhaps this funcionality is not supported any more or something bu= t > > > > I'd appreciate any advice people can give me on how I can do this, = I > > > > don't mind patching miniserv,pl if that is necessary. > > > > > > There is no way to access those pipes or the session database from a = CGI > > > script - they are internal to miniserv.pl, and used solely for > > > communication between the master process and sub-processes. You could > > > hack miniserv.pl to behave differently, but that would make your modu= le > > > dependent on a non-standard part of Webmin. > > > > > > What change are you trying to make exactly? I may be able to suggest = a > > > better solution .. > > > > Not sure exactly, I was considering having my CGI process create a > > file somewhere called "${sessionid}.expired" with the timeout in it. > > Then I was going to change the piece of code I mentioned earlier in > > miniserv.pl to use this in that section. I'd love to hear any other > > suggestions you have, > > > > Having thought about it some more I think maybe I'm missing something > > - is the session timeout something that already "just works" or was I > > initially right in thinking that it was not a supported feature i.e. > > can you clarify if there already is a standard way to use this and > > maybe I can warp my thinking to that instead. >=20 > The session timeout is already enforced by Webmin for all modules, and > can be configured in the Webmin Configuration module under > Authentication. So there isn't really any need to implement your own > timeout, unless you want to do something special like adjust it on a > per-module basis .. Great - this is really useful. Is this documented anywhere? Thanks for your help. Colm |
From: Jamie C. <jca...@we...> - 2005-04-20 12:47:59
|
On Wed, 2005-04-20 at 21:40, Colm Dougan wrote: > On 20 Apr 2005 21:16:20 +1000, Jamie Cameron <jca...@we...> wrote: > > On Wed, 2005-04-20 at 21:02, Colm Dougan wrote: > > > On 20 Apr 2005 14:01:37 +1000, Jamie Cameron <jca...@we...> wrote: > > > > On Wed, 2005-04-20 at 11:53, Colm Dougan wrote: > > > > > Hi list, > > > > > > > > > > I am trying to implement a webmin module whereby there is an > > > > > inactivity timeout on the user session. I can't seem to find any > > > > > documentation of how I do this in the docs or in the list archives but > > > > > I guess I must have missed this. > > > > > > .... > > > > > > > > Perhaps this funcionality is not supported any more or something but > > > > > I'd appreciate any advice people can give me on how I can do this, I > > > > > don't mind patching miniserv,pl if that is necessary. > > > > > > > > There is no way to access those pipes or the session database from a CGI > > > > script - they are internal to miniserv.pl, and used solely for > > > > communication between the master process and sub-processes. You could > > > > hack miniserv.pl to behave differently, but that would make your module > > > > dependent on a non-standard part of Webmin. > > > > > > > > What change are you trying to make exactly? I may be able to suggest a > > > > better solution .. > > > > > > Not sure exactly, I was considering having my CGI process create a > > > file somewhere called "${sessionid}.expired" with the timeout in it. > > > Then I was going to change the piece of code I mentioned earlier in > > > miniserv.pl to use this in that section. I'd love to hear any other > > > suggestions you have, > > > > > > Having thought about it some more I think maybe I'm missing something > > > - is the session timeout something that already "just works" or was I > > > initially right in thinking that it was not a supported feature i.e. > > > can you clarify if there already is a standard way to use this and > > > maybe I can warp my thinking to that instead. > > > > The session timeout is already enforced by Webmin for all modules, and > > can be configured in the Webmin Configuration module under > > Authentication. So there isn't really any need to implement your own > > timeout, unless you want to do something special like adjust it on a > > per-module basis .. > > Great - this is really useful. Is this documented anywhere? Only in my book unfortunately :-) Although the default works well for most people, so it isn't often changed.. - Jamie |
From: Colm D. <col...@gm...> - 2005-04-20 14:44:13
|
> > > The session timeout is already enforced by Webmin for all modules, an= d > > > can be configured in the Webmin Configuration module under > > > Authentication. So there isn't really any need to implement your own > > > timeout, unless you want to do something special like adjust it on a > > > per-module basis .. > > > > Great - this is really useful. Is this documented anywhere? >=20 > Only in my book unfortunately :-) > Although the default works well for most people, so it isn't often > changed.. I got it working by adding "logouttime=3D3" to miniserv.conf. A gotcha with this is that if you have any CGI scripts that reload themselves periodically with JavaScript then you can find that you never hit the timeout because the JavaScriipt reload (quite understandably) is activity. Not that I'd expect webmin to deal with that - I'm just mentioning it. I'll most probably have to patch webmin to have a list of URLs that will not count as a request for the purposes of calculating the timeout. Thanks again. Colm |
From: Jamie C. <jca...@we...> - 2005-04-20 23:07:53
|
On Thu, 2005-04-21 at 00:43, Colm Dougan wrote: > > > > The session timeout is already enforced by Webmin for all modules, and > > > > can be configured in the Webmin Configuration module under > > > > Authentication. So there isn't really any need to implement your own > > > > timeout, unless you want to do something special like adjust it on a > > > > per-module basis .. > > > > > > Great - this is really useful. Is this documented anywhere? > > > > Only in my book unfortunately :-) > > Although the default works well for most people, so it isn't often > > changed.. > > I got it working by adding "logouttime=3" to miniserv.conf. A gotcha > with this is that if you have any CGI scripts that reload themselves > periodically with JavaScript then you can find that you never hit the > timeout because the JavaScriipt reload (quite understandably) is > activity. Not that I'd expect webmin to deal with that - I'm just > mentioning it. I'll most probably have to patch webmin to have a list > of URLs that will not count as a request for the purposes of > calculating the timeout. That could certainly be done - if you do create a patch for this, please send it to me and I'll incorporate it into the next Webmin release. I'd advise making the list of URLs not to update the timeout be configurable, from something in miniserv.conf (which goes into the %config hash). - Jamie |