Re: 3rd party logon Need documentation on Gbrowse session handling

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: 3rd party logon Need documentation on Gbrowse session handling

Michael Dondrup-3
Hi Lishuang,


could you have a look at:
https://github.com/mdondrup/GBrowse/blob/master/cgi-bin/samlPostEpr
and tell me if that helps you. The interaction with the gbrowse api starts at line 45.

To avoid a having to rewrite and use the gbrowse main cgi as
a receiver for the POST message I added another endpoint script. Apart from receiving and
validating the encrypted SAML code it also contains the logic to create a gbrowse user and
session and to initialize the session and to 'redirect' via java script. Note that we trust the
SAML authentication in that we will also create a new gbrowse user in the database if there
is not already such an account.

Please let me know if you have any further questions.

Best
Michael


Michael Dondrup
Postdoctoral fellow
Sea Lice Research Centre/Department of Informatics
University of Bergen
Thormøhlensgate 55, N-5008 Bergen,
Norway

On Jan 30, 2015, at 2:35 PM, Lishuang Shen wrote:

> Hello:
>
> Regarding your 3rd party logon. I need your  advice.
>
> http://sourceforge.net/p/gmod/mailman/message/33295297/
>
>
>
> I am following similar strategyto yours above  for 3rd party login done with PHP. I handled
> the information with perl PHP::session and able to read and validate the PHP generated
> session and validated with session information in Gbrowse mysql.
>
> I use database to store the user and session information, not using files.
> So I am trying to activate my validated session information into Gbrowse.
> But stuck here regarding how to set cookie. It will jump to the gbrowse page, but not able to logon.
>
>
>
>
> Thank you,
>
> Lishuang
>
>
>
>
> #########################################################
> # I am trying to use directly the part of gbrowse login, for some infoirmation:
>
>    my $nonce = Bio::Graphics::Browser2::Util->generate_id;
>    my $ip    = CGI::remote_addr(); ## OK for ssl?
>    $session-> set_nonce($nonce,$ip, 1); #set_nonce($nonce,$ip,$remember);
>    $session-> using_openid('false');
> my $uploadsid  = $userdb-> get_uploads_id($userid);
>
>    print STDERR "id= $sessionid_from_user, IP: $ip  $nonce  -- username =", $session->username;
>    print STDERR "\nauthorize_user: $userid, $sessionid_from_user ". $session->id . "  2, 'false'.\n Logon: $sessionid, $nonce\nuploadsid --" . $uploadsid;
>    $session->flush();
>
>
>
> #########################################################
> # here I am following your code:
>
>      ## now generate the html page that will initialize the session
>      ## start with the session cookie:
>
>      my $cookie = CGI::Cookie->new(-name => 'gbrowse_sess',
>      -path =>  '/var/www/HBCR/gbrowse2/',
>      -expires => '+1M',
>      -value => $session->id );
>
>      ## some JSON data is required for calling the java script:
> # user or username in GB? I give both
>       my $result = to_json { userOK  => 1,
>                  sessionid => $sessionid_from_user,
>                  username  => $userid,
>                  message   => 'login ok',
>                 };
>      ## import required javascript functions
>  my $htmlhead = "<script src=\"https://mseqdr.org/gbrowse2/js/login.js\" type=\"text/javascript\"></script>
> <script src=\"https://mseqdr.org/gbrowse2/js/controller.js\" type=\"text/javascript\"></script>\n";
>
>   print header(-type=>"text/html", -cookie=> $cookie);
>   print start_html(-head=>$htmlhead);
>   print STDERR "Found existing user with ID: $userid / $validated_login_id <br>\n$fullname $email\n<br> PHP SessionID: $id2 <br>\nGbrowse SessionID:$sessionid_from_user -- $sessionid \n".$session->id;
>
> print "\n\n<script type=\"text/javascript\">\n";
> print "var p = $result;\n";
> print "login_load_account(\"$myurl\", p);\n";
> print "</script>\n";  
>   print end_html();
> }
>
>
>
>

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Gmod-gbrowse mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-gbrowse

signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 3rd party logon Need documentation on Gbrowse session handling

Michael Dondrup-3
Please keep gmod-gbrowse address posted.

On Jan 30, 2015, at 5:17 PM, Michael Dondrup wrote:

> Hi,
>
> Why would you store the cookie in a database or file? Cookies are stored by the web-client, and retrieved via their name, this doesn't depend on by which
> API (perl or php) the cookie was set. However, if the two applications are on different domains this might cause problems.
> . If you need session management, you should use CGI ::Session, if you need more control over the cookies use CGI::cookie,
>
> hope this helps.
>
>
> On Jan 30, 2015, at 3:46 PM, Lishuang Shen wrote:
>
>> Hello, Michael:
>>
>> Thank you for the quick help.
>>
>> After checking and comparison, I think my issue is still in last step of cookie setting, where seems my cookie was not written. It was not written to the folder I specified. And I don't know if it went into database. My other functions are essentially same as yours except for that I handle 3rd party logon in PHP. I will investigate it.
>>
>>
>> I am quite just started with direct session and cookie manipulation, and still trying to understand the how the gbrowse authentication  system working.
>>
>> Lishuang Shen
>>
>>
>> ________________________________________
>> From: Michael Dondrup [[hidden email]]
>> Sent: Friday, January 30, 2015 9:01 AM
>> To: Lishuang Shen
>> Cc: [hidden email] List
>> Subject: Re: [Gmod-gbrowse] 3rd party logon   Need documentation on Gbrowse session handling
>>
>> Hi Lishuang,
>>
>>
>> could you have a look at:
>> https://github.com/mdondrup/GBrowse/blob/master/cgi-bin/samlPostEpr
>> and tell me if that helps you. The interaction with the gbrowse api starts at line 45.
>>
>> To avoid a having to rewrite and use the gbrowse main cgi as
>> a receiver for the POST message I added another endpoint script. Apart from receiving and
>> validating the encrypted SAML code it also contains the logic to create a gbrowse user and
>> session and to initialize the session and to 'redirect' via java script. Note that we trust the
>> SAML authentication in that we will also create a new gbrowse user in the database if there
>> is not already such an account.
>>
>> Please let me know if you have any further questions.
>>
>> Best
>> Michael
>>
>>
>> Michael Dondrup
>> Postdoctoral fellow
>> Sea Lice Research Centre/Department of Informatics
>> University of Bergen
>> Thormøhlensgate 55, N-5008 Bergen,
>> Norway
>>
>> On Jan 30, 2015, at 2:35 PM, Lishuang Shen wrote:
>>
>>> Hello:
>>>
>>> Regarding your 3rd party logon. I need your  advice.
>>>
>>> http://sourceforge.net/p/gmod/mailman/message/33295297/
>>>
>>>
>>>
>>> I am following similar strategyto yours above  for 3rd party login done with PHP. I handled
>>> the information with perl PHP::session and able to read and validate the PHP generated
>>> session and validated with session information in Gbrowse mysql.
>>>
>>> I use database to store the user and session information, not using files.
>>> So I am trying to activate my validated session information into Gbrowse.
>>> But stuck here regarding how to set cookie. It will jump to the gbrowse page, but not able to logon.
>>>
>>>
>>>
>>>
>>> Thank you,
>>>
>>> Lishuang
>>>
>>>
>>>
>>>
>>> #########################################################
>>> # I am trying to use directly the part of gbrowse login, for some infoirmation:
>>>
>>>  my $nonce = Bio::Graphics::Browser2::Util->generate_id;
>>>  my $ip    = CGI::remote_addr(); ## OK for ssl?
>>>  $session-> set_nonce($nonce,$ip, 1); #set_nonce($nonce,$ip,$remember);
>>>  $session-> using_openid('false');
>>>     my $uploadsid  = $userdb-> get_uploads_id($userid);
>>>
>>>  print STDERR "id= $sessionid_from_user, IP: $ip  $nonce  -- username =", $session->username;
>>>  print STDERR "\nauthorize_user: $userid, $sessionid_from_user ". $session->id . "  2, 'false'.\n Logon: $sessionid, $nonce\nuploadsid --" . $uploadsid;
>>>  $session->flush();
>>>
>>>
>>>
>>> #########################################################
>>> # here I am following your code:
>>>
>>>    ## now generate the html page that will initialize the session
>>>    ## start with the session cookie:
>>>
>>>    my $cookie = CGI::Cookie->new(-name => 'gbrowse_sess',
>>>    -path =>  '/var/www/HBCR/gbrowse2/',
>>>    -expires => '+1M',
>>>    -value => $session->id );
>>>
>>>    ## some JSON data is required for calling the java script:
>>> # user or username in GB? I give both
>>>     my $result = to_json { userOK  => 1,
>>>                sessionid => $sessionid_from_user,
>>>                username  => $userid,
>>>                message   => 'login ok',
>>>               };
>>>    ## import required javascript functions
>>> my $htmlhead = "<script src=\"https://mseqdr.org/gbrowse2/js/login.js\" type=\"text/javascript\"></script>
>>> <script src=\"https://mseqdr.org/gbrowse2/js/controller.js\" type=\"text/javascript\"></script>\n";
>>>
>>> print header(-type=>"text/html", -cookie=> $cookie);
>>> print start_html(-head=>$htmlhead);
>>> print STDERR "Found existing user with ID: $userid / $validated_login_id <br>\n$fullname $email\n<br> PHP SessionID: $id2 <br>\nGbrowse SessionID:$sessionid_from_user -- $sessionid \n".$session->id;
>>>
>>> print "\n\n<script type=\"text/javascript\">\n";
>>> print "var p = $result;\n";
>>> print "login_load_account(\"$myurl\", p);\n";
>>> print "</script>\n";
>>> print end_html();
>>> }
>>>
>>>
>>>
>>>
>>
>>
>

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Gmod-gbrowse mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-gbrowse

signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 3rd party logon Need documentation on Gbrowse session handling

Lishuang_shen@meei.harvard.edu
Hello:

Here comes the part of code not working as expected:

#########################################################
# I omitted: PHP session handling, validating codes
# now the gbrowse session and cookie generating:

  $sessionid_from_user ='3577ef08baaf0a8ebecf87d74f92266a'; ## pulled from gbrowse user/session tables matching 3rd party logon user

     $session = $globals-> session($sessionid_from_user);
      my $sessionid = $session->id;
      $session -> username($userid);
      $session -> id($sessionid_from_user);
      my $ip = CGI::remote_addr(); ## OK for ssl?

    $session ->flush();
       
#########################################################
      ## now generate the html page that will initialize the session
      ## start with the session cookie:

      my $cookie = CGI::Cookie->new(-name => 'gbrowse_sess',
      -path => '/',  
      -expires => '+1M',
      -value => $sessionid_from_user );

      ## some JSON data is required for calling the java script:
      my $result = to_json { userOK  => 1,
                  sessionid => $session->id,
                  username  => $userid,
                  message   => 'login ok',
                 };

## checking what are set in cookie:
%cookies2 = CGI::Cookie->fetch;
for ( keys %cookies2)
{
print STDERR "\n\n BEFORE  $_   *:*  " . $cookies{$_};
}
# null, mean not set cookie yet as we expect, because page is not generated yet.


 
my $htmlhead = <<HTML
<script src="/gbrowse2/js/login.js" type="text/javascript"></script>
<script src="/gbrowse2/js/controller.js" type="text/javascript"></script>
HTML
;
# remark: here I still have correct $session->id:  3577ef08baaf0a8ebecf87d74f92266a

print header(-type=>"text/html", -cookie=>$cookie);
print start_html(-head=>$htmlhead);
print script({-type=>'text/javascript'},
<<SCRIPT
var p = $result;
 login_load_account("$myurl", p);
SCRIPT
);

## checking what are set in cookie:
%cookies = CGI::Cookie->fetch;
for ( keys %cookies)
{
print STDERR "\n\nAFTER <br>\n$_ ::: " . $cookies{$_};
}
print end_html();

}

########################################################
# check the %cookies :

# gbrowse_sess ::: gbrowse_sess=ecef5afcd977f5eb48902538c177444d; path=/
# _ga ::: _ga=GA1.2.712573035.1420653082; path=/
#  _gat ::: _gat=1; path=/
# authority ::: authority=6bb6679dbb2c9ff8fa55158f51949c69; path=/

So it means the new session id:  gbrowse_sess=ecef5afcd977f5eb48902538c177444d passed in cookie is not what (3577ef08baaf0a8ebecf87d74f92266a) I originally used to generate $session.

 
#########################################################



Lishuang




________________________________________
From: Michael Dondrup [[hidden email]]
Sent: Friday, January 30, 2015 11:22 AM
To: Lishuang Shen
Cc: [hidden email] List
Subject: Re: [Gmod-gbrowse] 3rd party logon   Need documentation on Gbrowse session handling

Please keep gmod-gbrowse address posted.

On Jan 30, 2015, at 5:17 PM, Michael Dondrup wrote:

> Hi,
>
> Why would you store the cookie in a database or file? Cookies are stored by the web-client, and retrieved via their name, this doesn't depend on by which
> API (perl or php) the cookie was set. However, if the two applications are on different domains this might cause problems.
> . If you need session management, you should use CGI ::Session, if you need more control over the cookies use CGI::cookie,
>
> hope this helps.
>
>
> On Jan 30, 2015, at 3:46 PM, Lishuang Shen wrote:
>
>> Hello, Michael:
>>
>> Thank you for the quick help.
>>
>> After checking and comparison, I think my issue is still in last step of cookie setting, where seems my cookie was not written. It was not written to the folder I specified. And I don't know if it went into database. My other functions are essentially same as yours except for that I handle 3rd party logon in PHP. I will investigate it.
>>
>>
>> I am quite just started with direct session and cookie manipulation, and still trying to understand the how the gbrowse authentication  system working.
>>
>> Lishuang Shen
>>
>>
>> ________________________________________
>> From: Michael Dondrup [[hidden email]]
>> Sent: Friday, January 30, 2015 9:01 AM
>> To: Lishuang Shen
>> Cc: [hidden email] List
>> Subject: Re: [Gmod-gbrowse] 3rd party logon   Need documentation on Gbrowse session handling
>>
>> Hi Lishuang,
>>
>>
>> could you have a look at:
>> https://github.com/mdondrup/GBrowse/blob/master/cgi-bin/samlPostEpr
>> and tell me if that helps you. The interaction with the gbrowse api starts at line 45.
>>
>> To avoid a having to rewrite and use the gbrowse main cgi as
>> a receiver for the POST message I added another endpoint script. Apart from receiving and
>> validating the encrypted SAML code it also contains the logic to create a gbrowse user and
>> session and to initialize the session and to 'redirect' via java script. Note that we trust the
>> SAML authentication in that we will also create a new gbrowse user in the database if there
>> is not already such an account.
>>
>> Please let me know if you have any further questions.
>>
>> Best
>> Michael
>>
>>
>> Michael Dondrup
>> Postdoctoral fellow
>> Sea Lice Research Centre/Department of Informatics
>> University of Bergen
>> Thormøhlensgate 55, N-5008 Bergen,
>> Norway
>>
>> On Jan 30, 2015, at 2:35 PM, Lishuang Shen wrote:
>>
>>> Hello:
>>>
>>> Regarding your 3rd party logon. I need your  advice.
>>>
>>> http://sourceforge.net/p/gmod/mailman/message/33295297/
>>>
>>>
>>>
>>> I am following similar strategyto yours above  for 3rd party login done with PHP. I handled
>>> the information with perl PHP::session and able to read and validate the PHP generated
>>> session and validated with session information in Gbrowse mysql.
>>>
>>> I use database to store the user and session information, not using files.
>>> So I am trying to activate my validated session information into Gbrowse.
>>> But stuck here regarding how to set cookie. It will jump to the gbrowse page, but not able to logon.
>>>
>>>
>>>
>>>
>>> Thank you,
>>>
>>> Lishuang
>>>
>>>
>>>
>>>
>>> #########################################################
>>> # I am trying to use directly the part of gbrowse login, for some infoirmation:
>>>
>>>  my $nonce = Bio::Graphics::Browser2::Util->generate_id;
>>>  my $ip    = CGI::remote_addr(); ## OK for ssl?
>>>  $session-> set_nonce($nonce,$ip, 1); #set_nonce($nonce,$ip,$remember);
>>>  $session-> using_openid('false');
>>>     my $uploadsid  = $userdb-> get_uploads_id($userid);
>>>
>>>  print STDERR "id= $sessionid_from_user, IP: $ip  $nonce  -- username =", $session->username;
>>>  print STDERR "\nauthorize_user: $userid, $sessionid_from_user ". $session->id . "  2, 'false'.\n Logon: $sessionid, $nonce\nuploadsid --" . $uploadsid;
>>>  $session->flush();
>>>
>>>
>>>
>>> #########################################################
>>> # here I am following your code:
>>>
>>>    ## now generate the html page that will initialize the session
>>>    ## start with the session cookie:
>>>
>>>    my $cookie = CGI::Cookie->new(-name => 'gbrowse_sess',
>>>    -path =>  '/var/www/HBCR/gbrowse2/',
>>>    -expires => '+1M',
>>>    -value => $session->id );
>>>
>>>    ## some JSON data is required for calling the java script:
>>> # user or username in GB? I give both
>>>     my $result = to_json { userOK  => 1,
>>>                sessionid => $sessionid_from_user,
>>>                username  => $userid,
>>>                message   => 'login ok',
>>>               };
>>>    ## import required javascript functions
>>> my $htmlhead = "<script src=\"https://mseqdr.org/gbrowse2/js/login.js\" type=\"text/javascript\"></script>
>>> <script src=\"https://mseqdr.org/gbrowse2/js/controller.js\" type=\"text/javascript\"></script>\n";
>>>
>>> print header(-type=>"text/html", -cookie=> $cookie);
>>> print start_html(-head=>$htmlhead);
>>> print STDERR "Found existing user with ID: $userid / $validated_login_id <br>\n$fullname $email\n<br> PHP SessionID: $id2 <br>\nGbrowse SessionID:$sessionid_from_user -- $sessionid \n".$session->id;
>>>
>>> print "\n\n<script type=\"text/javascript\">\n";
>>> print "var p = $result;\n";
>>> print "login_load_account(\"$myurl\", p);\n";
>>> print "</script>\n";
>>> print end_html();
>>> }
>>>
>>>
>>>
>>>
>>
>>
>



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Gmod-gbrowse mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-gbrowse
Reply | Threaded
Open this post in threaded view
|

Re: 3rd party logon Need documentation on Gbrowse session handling

Michael Dondrup-3

Hi,
see my comments inline.


On Jan 30, 2015, at 9:25 PM, Lishuang Shen wrote:

> Hello:
>
> Here comes the part of code not working as expected:
>
> #########################################################
> # I omitted: PHP session handling, validating codes
> # now the gbrowse session and cookie generating:
>
>  $sessionid_from_user ='3577ef08baaf0a8ebecf87d74f92266a'; ## pulled from gbrowse user/session tables matching 3rd party logon user
>
This might be problem, you shouldn't try to bypass the session id handling by fetching something from the
db, this id might be invalid or expired. You should let Bio::Graphics::Browser2::Session handle the id, it is using CGI::Session and that does the id handling very well. Look at the code here: https://metacpan.org/source/LDS/GBrowse-2.55/lib/Bio/Graphics/Browser2/Session.pm#

The "new" method has an id parameter in case you really wish to revive a certain session. I would rather leave that alone.
In the script  that is working for us, we do not attempt to mess with the session id.

If some user is coming from the login process for the first time, it is very likely that there is no valid session id yet for the user (either logs in for the first time or
logged out, or session expired before, so no valid session).

>     $session = $globals-> session($sessionid_from_user);
This might give you the session corresponding to sessionid_from_user (not sure if this is passed on though) but only if the session is still valid.

>      my $sessionid = $session->id;
>      $session -> username($userid);
>      $session -> id($sessionid_from_user);
When you look at the id method it is only a getter not a setter, so this has no effect.




>      my $ip = CGI::remote_addr(); ## OK for ssl?
>
>    $session ->flush();
>
> #########################################################
>      ## now generate the html page that will initialize the session
>      ## start with the session cookie:
>
>      my $cookie = CGI::Cookie->new(-name => 'gbrowse_sess',
>      -path => '/',  
>      -expires => '+1M',
>      -value => $sessionid_from_user );
I think you should just use $sessionid here.

>
>      ## some JSON data is required for calling the java script:
>      my $result = to_json { userOK  => 1,
>                  sessionid => $session->id,
>                  username  => $userid,
>                  message   => 'login ok',
>                 };
>
> ## checking what are set in cookie:
> %cookies2 = CGI::Cookie->fetch;
> for ( keys %cookies2)
> {
> print STDERR "\n\n BEFORE  $_   *:*  " . $cookies{$_};
> }
> # null, mean not set cookie yet as we expect, because page is not generated yet.
>
>
>
> my $htmlhead = <<HTML
> <script src="/gbrowse2/js/login.js" type="text/javascript"></script>
> <script src="/gbrowse2/js/controller.js" type="text/javascript"></script>
> HTML
> ;
> # remark: here I still have correct $session->id:  3577ef08baaf0a8ebecf87d74f92266a
>
> print header(-type=>"text/html", -cookie=>$cookie);
> print start_html(-head=>$htmlhead);
> print script({-type=>'text/javascript'},
> <<SCRIPT
> var p = $result;
> login_load_account("$myurl", p);
> SCRIPT
> );
>
> ## checking what are set in cookie:
> %cookies = CGI::Cookie->fetch;
> for ( keys %cookies)
> {
> print STDERR "\n\nAFTER <br>\n$_ ::: " . $cookies{$_};
> }
> print end_html();
>
> }
>
> ########################################################
> # check the %cookies :
>
> # gbrowse_sess ::: gbrowse_sess=ecef5afcd977f5eb48902538c177444d; path=/
> # _ga ::: _ga=GA1.2.712573035.1420653082; path=/
> #  _gat ::: _gat=1; path=/
> # authority ::: authority=6bb6679dbb2c9ff8fa55158f51949c69; path=/
>
> So it means the new session id:  gbrowse_sess=ecef5afcd977f5eb48902538c177444d passed in cookie is not what (3577ef08baaf0a8ebecf87d74f92266a) I originally used to generate $session.
>
>
> #########################################################
>
>
>
> Lishuang
>
>
>
>
> ________________________________________
> From: Michael Dondrup [[hidden email]]
> Sent: Friday, January 30, 2015 11:22 AM
> To: Lishuang Shen
> Cc: [hidden email] List
> Subject: Re: [Gmod-gbrowse] 3rd party logon   Need documentation on Gbrowse session handling
>
> Please keep gmod-gbrowse address posted.
>
> On Jan 30, 2015, at 5:17 PM, Michael Dondrup wrote:
>
>> Hi,
>>
>> Why would you store the cookie in a database or file? Cookies are stored by the web-client, and retrieved via their name, this doesn't depend on by which
>> API (perl or php) the cookie was set. However, if the two applications are on different domains this might cause problems.
>> . If you need session management, you should use CGI ::Session, if you need more control over the cookies use CGI::cookie,
>>
>> hope this helps.
>>
>>
>> On Jan 30, 2015, at 3:46 PM, Lishuang Shen wrote:
>>
>>> Hello, Michael:
>>>
>>> Thank you for the quick help.
>>>
>>> After checking and comparison, I think my issue is still in last step of cookie setting, where seems my cookie was not written. It was not written to the folder I specified. And I don't know if it went into database. My other functions are essentially same as yours except for that I handle 3rd party logon in PHP. I will investigate it.
>>>
>>>
>>> I am quite just started with direct session and cookie manipulation, and still trying to understand the how the gbrowse authentication  system working.
>>>
>>> Lishuang Shen
>>>
>>>
>>> ________________________________________
>>> From: Michael Dondrup [[hidden email]]
>>> Sent: Friday, January 30, 2015 9:01 AM
>>> To: Lishuang Shen
>>> Cc: [hidden email] List
>>> Subject: Re: [Gmod-gbrowse] 3rd party logon   Need documentation on Gbrowse session handling
>>>
>>> Hi Lishuang,
>>>
>>>
>>> could you have a look at:
>>> https://github.com/mdondrup/GBrowse/blob/master/cgi-bin/samlPostEpr
>>> and tell me if that helps you. The interaction with the gbrowse api starts at line 45.
>>>
>>> To avoid a having to rewrite and use the gbrowse main cgi as
>>> a receiver for the POST message I added another endpoint script. Apart from receiving and
>>> validating the encrypted SAML code it also contains the logic to create a gbrowse user and
>>> session and to initialize the session and to 'redirect' via java script. Note that we trust the
>>> SAML authentication in that we will also create a new gbrowse user in the database if there
>>> is not already such an account.
>>>
>>> Please let me know if you have any further questions.
>>>
>>> Best
>>> Michael
>>>
>>>
>>> Michael Dondrup
>>> Postdoctoral fellow
>>> Sea Lice Research Centre/Department of Informatics
>>> University of Bergen
>>> Thormøhlensgate 55, N-5008 Bergen,
>>> Norway
>>>
>>> On Jan 30, 2015, at 2:35 PM, Lishuang Shen wrote:
>>>
>>>> Hello:
>>>>
>>>> Regarding your 3rd party logon. I need your  advice.
>>>>
>>>> http://sourceforge.net/p/gmod/mailman/message/33295297/
>>>>
>>>>
>>>>
>>>> I am following similar strategyto yours above  for 3rd party login done with PHP. I handled
>>>> the information with perl PHP::session and able to read and validate the PHP generated
>>>> session and validated with session information in Gbrowse mysql.
>>>>
>>>> I use database to store the user and session information, not using files.
>>>> So I am trying to activate my validated session information into Gbrowse.
>>>> But stuck here regarding how to set cookie. It will jump to the gbrowse page, but not able to logon.
>>>>
>>>>
>>>>
>>>>
>>>> Thank you,
>>>>
>>>> Lishuang
>>>>
>>>>
>>>>
>>>>
>>>> #########################################################
>>>> # I am trying to use directly the part of gbrowse login, for some infoirmation:
>>>>
>>>> my $nonce = Bio::Graphics::Browser2::Util->generate_id;
>>>> my $ip    = CGI::remote_addr(); ## OK for ssl?
>>>> $session-> set_nonce($nonce,$ip, 1); #set_nonce($nonce,$ip,$remember);
>>>> $session-> using_openid('false');
>>>>    my $uploadsid  = $userdb-> get_uploads_id($userid);
>>>>
>>>> print STDERR "id= $sessionid_from_user, IP: $ip  $nonce  -- username =", $session->username;
>>>> print STDERR "\nauthorize_user: $userid, $sessionid_from_user ". $session->id . "  2, 'false'.\n Logon: $sessionid, $nonce\nuploadsid --" . $uploadsid;
>>>> $session->flush();
>>>>
>>>>
>>>>
>>>> #########################################################
>>>> # here I am following your code:
>>>>
>>>>   ## now generate the html page that will initialize the session
>>>>   ## start with the session cookie:
>>>>
>>>>   my $cookie = CGI::Cookie->new(-name => 'gbrowse_sess',
>>>>   -path =>  '/var/www/HBCR/gbrowse2/',
>>>>   -expires => '+1M',
>>>>   -value => $session->id );
>>>>
>>>>   ## some JSON data is required for calling the java script:
>>>> # user or username in GB? I give both
>>>>    my $result = to_json { userOK  => 1,
>>>>               sessionid => $sessionid_from_user,
>>>>               username  => $userid,
>>>>               message   => 'login ok',
>>>>              };
>>>>   ## import required javascript functions
>>>> my $htmlhead = "<script src=\"https://mseqdr.org/gbrowse2/js/login.js\" type=\"text/javascript\"></script>
>>>> <script src=\"https://mseqdr.org/gbrowse2/js/controller.js\" type=\"text/javascript\"></script>\n";
>>>>
>>>> print header(-type=>"text/html", -cookie=> $cookie);
>>>> print start_html(-head=>$htmlhead);
>>>> print STDERR "Found existing user with ID: $userid / $validated_login_id <br>\n$fullname $email\n<br> PHP SessionID: $id2 <br>\nGbrowse SessionID:$sessionid_from_user -- $sessionid \n".$session->id;
>>>>
>>>> print "\n\n<script type=\"text/javascript\">\n";
>>>> print "var p = $result;\n";
>>>> print "login_load_account(\"$myurl\", p);\n";
>>>> print "</script>\n";
>>>> print end_html();
>>>> }
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
>

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Gmod-gbrowse mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-gbrowse

signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 3rd party logon Need documentation on Gbrowse session handling

Lishuang_shen@meei.harvard.edu
Hello:

You are right. I should not have trying to farce in a sid for new session.  My code did generate new session for 1st time user. But it is not good way from the results.

So now I let the CGI to create sid.

Now I have the cookie set with the  new session information.

One thing special for gbrowse, as I just learned from colleague:

in gbrowse, the cookie path ='/' need to be set to  '/cgi-bin/gb2/' or like per one's own server setting. After following this, it seems now I can  get the cookie set correctly with the correct session. I hope this is only  my last step away for automatic logon in gbowse working. I will keep you posted.


      my $cookie = CGI::Cookie->new(-name => 'gbrowse_sess',
      -path => '/cgi-bin/gb2/',  
      -expires => '+1M',
      -value =>  $session->id );

Thank you and have a great weekend.

Lishuang


________________________________________
From: Michael Dondrup [[hidden email]]
Sent: Friday, January 30, 2015 4:17 PM
To: Lishuang Shen
Cc: Ryan Doherty; [hidden email] List
Subject: Re: [Gmod-gbrowse] 3rd party logon   Need documentation on Gbrowse session handling

Hi,
see my comments inline.


On Jan 30, 2015, at 9:25 PM, Lishuang Shen wrote:

> Hello:
>
> Here comes the part of code not working as expected:
>
> #########################################################
> # I omitted: PHP session handling, validating codes
> # now the gbrowse session and cookie generating:
>
>  $sessionid_from_user ='3577ef08baaf0a8ebecf87d74f92266a'; ## pulled from gbrowse user/session tables matching 3rd party logon user
>
This might be problem, you shouldn't try to bypass the session id handling by fetching something from the
db, this id might be invalid or expired. You should let Bio::Graphics::Browser2::Session handle the id, it is using CGI::Session and that does the id handling very well. Look at the code here: https://metacpan.org/source/LDS/GBrowse-2.55/lib/Bio/Graphics/Browser2/Session.pm#

The "new" method has an id parameter in case you really wish to revive a certain session. I would rather leave that alone.
In the script  that is working for us, we do not attempt to mess with the session id.

If some user is coming from the login process for the first time, it is very likely that there is no valid session id yet for the user (either logs in for the first time or
logged out, or session expired before, so no valid session).

>     $session = $globals-> session($sessionid_from_user);
This might give you the session corresponding to sessionid_from_user (not sure if this is passed on though) but only if the session is still valid.

>      my $sessionid = $session->id;
>      $session -> username($userid);
>      $session -> id($sessionid_from_user);
When you look at the id method it is only a getter not a setter, so this has no effect.




>      my $ip = CGI::remote_addr(); ## OK for ssl?
>
>    $session ->flush();
>
> #########################################################
>      ## now generate the html page that will initialize the session
>      ## start with the session cookie:
>
>      my $cookie = CGI::Cookie->new(-name => 'gbrowse_sess',
>      -path => '/',
>      -expires => '+1M',
>      -value => $sessionid_from_user );
I think you should just use $sessionid here.

>
>      ## some JSON data is required for calling the java script:
>      my $result = to_json { userOK  => 1,
>                  sessionid => $session->id,
>                  username  => $userid,
>                  message   => 'login ok',
>                 };
>
> ## checking what are set in cookie:
> %cookies2 = CGI::Cookie->fetch;
> for ( keys %cookies2)
> {
> print STDERR "\n\n BEFORE  $_   *:*  " . $cookies{$_};
> }
> # null, mean not set cookie yet as we expect, because page is not generated yet.
>
>
>
> my $htmlhead = <<HTML
> <script src="/gbrowse2/js/login.js" type="text/javascript"></script>
> <script src="/gbrowse2/js/controller.js" type="text/javascript"></script>
> HTML
> ;
> # remark: here I still have correct $session->id:  3577ef08baaf0a8ebecf87d74f92266a
>
> print header(-type=>"text/html", -cookie=>$cookie);
> print start_html(-head=>$htmlhead);
> print script({-type=>'text/javascript'},
> <<SCRIPT
> var p = $result;
> login_load_account("$myurl", p);
> SCRIPT
> );
>
> ## checking what are set in cookie:
> %cookies = CGI::Cookie->fetch;
> for ( keys %cookies)
> {
> print STDERR "\n\nAFTER <br>\n$_ ::: " . $cookies{$_};
> }
> print end_html();
>
> }
>
> ########################################################
> # check the %cookies :
>
> # gbrowse_sess ::: gbrowse_sess=ecef5afcd977f5eb48902538c177444d; path=/
> # _ga ::: _ga=GA1.2.712573035.1420653082; path=/
> #  _gat ::: _gat=1; path=/
> # authority ::: authority=6bb6679dbb2c9ff8fa55158f51949c69; path=/
>
> So it means the new session id:  gbrowse_sess=ecef5afcd977f5eb48902538c177444d passed in cookie is not what (3577ef08baaf0a8ebecf87d74f92266a) I originally used to generate $session.
>
>
> #########################################################
>
>
>
> Lishuang
>
>
>
>
> ________________________________________
> From: Michael Dondrup [[hidden email]]
> Sent: Friday, January 30, 2015 11:22 AM
> To: Lishuang Shen
> Cc: [hidden email] List
> Subject: Re: [Gmod-gbrowse] 3rd party logon   Need documentation on Gbrowse session handling
>
> Please keep gmod-gbrowse address posted.
>
> On Jan 30, 2015, at 5:17 PM, Michael Dondrup wrote:
>
>> Hi,
>>
>> Why would you store the cookie in a database or file? Cookies are stored by the web-client, and retrieved via their name, this doesn't depend on by which
>> API (perl or php) the cookie was set. However, if the two applications are on different domains this might cause problems.
>> . If you need session management, you should use CGI ::Session, if you need more control over the cookies use CGI::cookie,
>>
>> hope this helps.
>>
>>
>> On Jan 30, 2015, at 3:46 PM, Lishuang Shen wrote:
>>
>>> Hello, Michael:
>>>
>>> Thank you for the quick help.
>>>
>>> After checking and comparison, I think my issue is still in last step of cookie setting, where seems my cookie was not written. It was not written to the folder I specified. And I don't know if it went into database. My other functions are essentially same as yours except for that I handle 3rd party logon in PHP. I will investigate it.
>>>
>>>
>>> I am quite just started with direct session and cookie manipulation, and still trying to understand the how the gbrowse authentication  system working.
>>>
>>> Lishuang Shen
>>>
>>>
>>> ________________________________________
>>> From: Michael Dondrup [[hidden email]]
>>> Sent: Friday, January 30, 2015 9:01 AM
>>> To: Lishuang Shen
>>> Cc: [hidden email] List
>>> Subject: Re: [Gmod-gbrowse] 3rd party logon   Need documentation on Gbrowse session handling
>>>
>>> Hi Lishuang,
>>>
>>>
>>> could you have a look at:
>>> https://github.com/mdondrup/GBrowse/blob/master/cgi-bin/samlPostEpr
>>> and tell me if that helps you. The interaction with the gbrowse api starts at line 45.
>>>
>>> To avoid a having to rewrite and use the gbrowse main cgi as
>>> a receiver for the POST message I added another endpoint script. Apart from receiving and
>>> validating the encrypted SAML code it also contains the logic to create a gbrowse user and
>>> session and to initialize the session and to 'redirect' via java script. Note that we trust the
>>> SAML authentication in that we will also create a new gbrowse user in the database if there
>>> is not already such an account.
>>>
>>> Please let me know if you have any further questions.
>>>
>>> Best
>>> Michael
>>>
>>>
>>> Michael Dondrup
>>> Postdoctoral fellow
>>> Sea Lice Research Centre/Department of Informatics
>>> University of Bergen
>>> Thormøhlensgate 55, N-5008 Bergen,
>>> Norway
>>>
>>> On Jan 30, 2015, at 2:35 PM, Lishuang Shen wrote:
>>>
>>>> Hello:
>>>>
>>>> Regarding your 3rd party logon. I need your  advice.
>>>>
>>>> http://sourceforge.net/p/gmod/mailman/message/33295297/
>>>>
>>>>
>>>>
>>>> I am following similar strategyto yours above  for 3rd party login done with PHP. I handled
>>>> the information with perl PHP::session and able to read and validate the PHP generated
>>>> session and validated with session information in Gbrowse mysql.
>>>>
>>>> I use database to store the user and session information, not using files.
>>>> So I am trying to activate my validated session information into Gbrowse.
>>>> But stuck here regarding how to set cookie. It will jump to the gbrowse page, but not able to logon.
>>>>
>>>>
>>>>
>>>>
>>>> Thank you,
>>>>
>>>> Lishuang
>>>>
>>>>
>>>>
>>>>
>>>> #########################################################
>>>> # I am trying to use directly the part of gbrowse login, for some infoirmation:
>>>>
>>>> my $nonce = Bio::Graphics::Browser2::Util->generate_id;
>>>> my $ip    = CGI::remote_addr(); ## OK for ssl?
>>>> $session-> set_nonce($nonce,$ip, 1); #set_nonce($nonce,$ip,$remember);
>>>> $session-> using_openid('false');
>>>>    my $uploadsid  = $userdb-> get_uploads_id($userid);
>>>>
>>>> print STDERR "id= $sessionid_from_user, IP: $ip  $nonce  -- username =", $session->username;
>>>> print STDERR "\nauthorize_user: $userid, $sessionid_from_user ". $session->id . "  2, 'false'.\n Logon: $sessionid, $nonce\nuploadsid --" . $uploadsid;
>>>> $session->flush();
>>>>
>>>>
>>>>
>>>> #########################################################
>>>> # here I am following your code:
>>>>
>>>>   ## now generate the html page that will initialize the session
>>>>   ## start with the session cookie:
>>>>
>>>>   my $cookie = CGI::Cookie->new(-name => 'gbrowse_sess',
>>>>   -path =>  '/var/www/HBCR/gbrowse2/',
>>>>   -expires => '+1M',
>>>>   -value => $session->id );
>>>>
>>>>   ## some JSON data is required for calling the java script:
>>>> # user or username in GB? I give both
>>>>    my $result = to_json { userOK  => 1,
>>>>               sessionid => $sessionid_from_user,
>>>>               username  => $userid,
>>>>               message   => 'login ok',
>>>>              };
>>>>   ## import required javascript functions
>>>> my $htmlhead = "<script src=\"https://mseqdr.org/gbrowse2/js/login.js\" type=\"text/javascript\"></script>
>>>> <script src=\"https://mseqdr.org/gbrowse2/js/controller.js\" type=\"text/javascript\"></script>\n";
>>>>
>>>> print header(-type=>"text/html", -cookie=> $cookie);
>>>> print start_html(-head=>$htmlhead);
>>>> print STDERR "Found existing user with ID: $userid / $validated_login_id <br>\n$fullname $email\n<br> PHP SessionID: $id2 <br>\nGbrowse SessionID:$sessionid_from_user -- $sessionid \n".$session->id;
>>>>
>>>> print "\n\n<script type=\"text/javascript\">\n";
>>>> print "var p = $result;\n";
>>>> print "login_load_account(\"$myurl\", p);\n";
>>>> print "</script>\n";
>>>> print end_html();
>>>> }
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
>



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Gmod-gbrowse mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-gbrowse