Provided by: libapache2-sitecontrol-perl_1.05-1_all bug


       Apache2::SiteControl::UserFactory - User factory/persistence


       This class is responsible for creating user objects (see Apache2::SiteControl::User) and
       managing the interfacing of those objects with a persistent session store.  The default
       implementation uses Apache::Session::File to store the various attributes of the user to

       If you want to do your own user management, then you should leave the User class alone,
       and subclass only this factory. The following methods are required:

          This method is called with the Apache Request object, username, password, and all other
          credential_# fields from the login form.  It must create and return an instance of
          Apache2::SiteControl::User (using new...See User), and store that information (along
          with the session key stored in cookie format in the request) in some sort of permanent
          storage.  This method is called in response to a login, so it should invalidate any
          existing session for the given user name (so that a user can be logged in only once).
          This method must return the key to use as the browser session key, or undef if it could
          not create the user.

          This method is passed the apache request and the session key (which you defined in
          makeUser).  This method is called every time a "logged in" user makes a request. In
          other words the user objects are not persistent in memory (each request gets a new
          "copy" of the state). This method uses the session key (which was stored in a browser
          cookie) to figure out what user to restore. The implementation is required to look up
          the user by the session key, recreate a Apache2::SiteControl::User object and return
          it. It must restore all user attributes that have been saved via saveAttribute (below).

          This method is passed the apache request object and a previously created user object.
          It should delete the user object from permanent store so that future request to find
          that user fails unless makeUser has been called to recreate it.  The session ID (which
          you made up in makeUser) is available from $user->{sessionid}.

          This method is automatically called whenever a user has a new attribute value.  The
          incoming arguments are the apache request, the user object, and the name of the
          attribute to save (you can read it with $user->getAttribute($name)). This method must
          save the attribute in a such a way that later calls to findUser will be able to restore
          the attribute to the user object that is created. The session id you created for this
          user (in makeUser) is available in $user->{sessionid}.

Apache Config Directives

       The following is a list of configuration variables that can be set with apache's
       PerlSetVar to configure the behavior of this class:

       SiteControlDebug  (default 0):
          Debug mode

       SiteControlLocks  (default /tmp):
          Where the locks are stored

       SiteControlSessions (default /tmp):
          Where the session data is stored

       SiteControlUsermap (default none):
          Where the usernames are mapped to session files. Required if you want multiple session
          detection. If unset a single userid can be used to log in multiple times

       SiteControlUserFactory (default: Apache2::SiteControl::UserFactory)
          An implementation like this module.

       UserObjectSaveOtherCredentials (default: 0)
          Indicates that other form data from the login screen (credential_2, credential_3, etc.)
          should be saved in the session data. The keys will be credential_2, etc.  name of the
          user factory to use when making user objects.  These are useful if your web application
          has other login choices (i.e. service, database, etc.) that you need to know about at

       UserObjectSavePassword (default 0)
          Indicates that the password should be saved in the local session data, so that it is
          available to other parts of the web app (and not just the auth system).  This might be
          necessary if you are logging the user in and out of services on the back end (like in
          webmail and database apps).

       UserObjectPasswordCipher (default CAST5)
          The CBC cipher used for encrypting the user passwords in the session files (See
          Crypt::CBC for info on allowed ciphers...this value is passed directly to
          Crypt::CBC->new). If you are saving user passwords, they will be encrypted when stored
          in the apache session files. This gives a little bit of added security, and makes the
          apache config the only sensitive file (since that is where you configure the key
          itself) instead of every random session file that is laying around on disk.

          There is a global variable in this package called $encryption_key, which will be used
          if this variable is not set. The suggested method is to set the encryption key during
          server startup using a random value (i.e. from /dev/random), so that all server forks
          will inherit the value.

          The key to use for encryption of the passwords in the session files. See
          UserObjectPasswordCipher above.


       Apache2::SiteControl::User, Apache::SiteControl::PermissionManager,
       Apache2::SiteControl::Rule, Apache::SiteControl


       This module was written by Tony Kay, <>.


       Apache2::SiteControl is covered by the GPL.