Session DB
This defines the session storage database. Sessions are created and managed with the Perl CGI::Session module. Refer to the documentation for that module for a more detailed description of configuration options available for the store and expiry parameters.
| Attribute | Default | Notes |
|---|---|---|
store |
driver:file;serializer:default;id:md5 |
This tells CGI::Session to use file-based cookies. See CGI::Session man page for further information. |
cookie |
<APPNAME>_CGISESSID |
Default session cookie name is <APPNAME>_CGISESSID. If you are serving multiple Jarvis applications on the same host, then ensure that each one uses a separate cookie name. |
expiry |
+1h |
Specifies the extension period for the cookie after every successful Jarvis interaction. |
sid_source |
cookie |
The places where Jarvis should look for the SID. This is a comma-separated string of the following options: • cookie - Look in the cookie (as per the cookie attribute).• url - Look in the parameters passed in the URL. The URL parameter is expected to be the name provided in the cookie attribute.The order these are listed is relevant. For example url,cookie means that the URL parameters will be looked at first, then, if the relevant parameter cannot be found, the cookie list will be searched.For more information see SID source. |
In addition, the sessiondb configuration supports additional contained parameter tags, according to the CGI::Session driver type selected.
<sessiondb store="driver:file;serializer:default;id:md5" expiry="+3M" cookie="APP_CGISESSID" sid_source="cookie">
<parameter name="Directory" value="/home/myapp/tmp/sessions"/>
</sessiondb>
Each parameter sub-element has a name and value attribute. These parameters are passed directly to CGI::Session. The only documented parameter is Directory for the file driver. For other parameters, see the CGI::Session man page.
| Name | Default | Notes |
|---|---|---|
| Directory | (System TMP Dir) |
This specifies the location for storing CGI sessions on local disk. The default directory is operating system dependent. |
| Domain | $ENV{HTTP_HOST} |
Specifies the domain to use when comparing addresses for the purposes of cross origin validation. |
| Path | / |
Specifies the path to include when generating cookies for the client. |
| Secure | no |
Specifies is cookies generated for the client can only be sent over HTTPS. |
Note: If you omit the <sessiondb> tag entirely, then Jarvis will not maintain a session cookie. Instead, every Jarvis request will invoke the full Login check sequence as configured by your login> settings.
The following considerations apply:
With Jarvis <sessiondb> and cookie |
Without Jarvis <sessiondb> or cookie |
|---|---|
More secure. No need to pass username and password in each request. |
This is a key point. If the login settings you are using requires a username and/or password then in general a <sessiondb> is recommended. |
| Less secure. If the user is blocked in the underlying database, they can still continue to access Jarvis as long as the cookie is valid. | More secure. If the user is blocked in the user database, they are immediately locked out of Jarvis access. |
| More efficient. No need to re-perform the full login sequence for each request. | More secure. If login configuration is setup to check on Certificate or IP address, it would be better to perform this check on every request. |
| User Changes Ignored. User Changes Detected: Any changes to the parent session will be immediately detected by Jarvis.If the Jarvis session is piggybacking on another session (e.g. a Drupal6) then re-logging to a new Drupal user will not be picked up by Jarvis. It will blindly and wrongly continue its session for the old user. | User Changes Detected: Any changes to the parent session will be immediately detected by Jarvis. |