CGI Username does not update with diff user login

Justin_Elliott · October 27, 2016, 1:12pm

In my CGI app I need to capture the logged in username that is available in the apache ‘REMOTE_USER’ environment variable. My CGI app is running on RH7 Linux and is a 64-bit app built with Xojo 2016r3.

The problem is that the userid gets set to the first person who runs the CGI and then it never changes there after. I’ve double checked that I’m not using a shared property for the app and I’m referring to the Session data.

I’ve tried updating it in the Session.Open event and the HandleURL event as well (per Greg’s recommendation in another thread here on the forum).

The IP of the client is correctly reported via the Session.RemoteAddress but it appears that there should be a Session.UserName property per the Session docs:

If Session.Available Then Dim user As String user = Session.UserName End If

But the IDE reports the error message of ‘Type “Session.Session” has no member named “UserName”’ when I use ‘Session.UserName’.

So … this is the command that I’ve tried in the Session.Open event:

dim mUserName as string = System.EnvironmentVariable ( "REMOTE_USER" ) )

How can I get the session username for each user session?

Paul_Lefebvre · October 27, 2016, 2:03pm

No, WebSession does not have a UserName property. That code is referring to using a property you’ve added to Session. I’ve added a comment to clarify that.

James_Dooley · October 28, 2016, 12:14am

I have not done this with XOJO, but I have else where:

First you need to make sure that your web server is set up to include the parameter in the headers.

Second in XOJO you need to parse the raw header to find the entry you need.

Justin_Elliott · October 28, 2016, 12:10pm

Thanks @James Dooley , I’ll dig in and report back soon.

James_Dooley · October 28, 2016, 12:38pm

It was the middle of the night when I responded…

One other point I don’t think REMOTE_USER would never work as a system environment variable since the application is multi user.

Justin_Elliott · October 28, 2016, 12:40pm

What’s odd is that REMOTE_USER captures and keeps the first userid that is captured when the CGI runs for the first time, so it’s working at some point, but never changes from then.

James_Dooley · October 28, 2016, 12:58pm

If you break on the request and look at the contents of the RawHeaders do you see the REMOTE_USER variable?

James_Dooley · October 28, 2016, 1:09pm

So I spoke to the kid (my son 30+ years younger than me) and he said:

It should be possible to pick up the remote user via environment variables provide the server spins of a process per request and sets the variable for each request
Have a look for this environment variable: HTTP_X_PROXY_REMOTE_USER it might be an alternative.

Justin_Elliott · October 28, 2016, 5:46pm

I need to do that, but haven’t yet dove into figuring out how to use the Remote Debugger app for a Linux CGI running via Apache.

Greg_O_Lone · October 28, 2016, 8:54pm

When you do, select Run Paused and then access the app through the browser.

Justin_Elliott · October 29, 2016, 12:11am

The Linux console debugger is 32 bit and my server is 64 bit. Ugh…

[justin@myserver]$ ./RemoteDebuggerConsole
Failed to find/load Framework library
libgobject-2.0.so.0: cannot open shared object file: No such file or directory

For the quicker route I dumped the RawHeaders in the Session.Open event:

session.Open: RawHeaders = 'User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36'

Which is pretty sparse unfortunately.

It’s interesting that Session.RemoteAddress works correctly for the client but there’s no way to get the client’s userid from the Apache REMOTE_USER login.

What’s interesting is that the CGI appears to never quit, which might be related. Since we’re not using FastCGI, shouldn’t a new CGI process run for each user that loads the page?

I see this every time I ssh in:

[justin@myserver]$ ps -auxwww | grep -i proteus apache 24247 0.0 1.3 300924 25536 ? Ssl 16:14 0:12 /var/www/cgi-bin/clmmactools/ProteusMACAddressMapper/ProteusMACAddressMapper --port=26974

Any other recommendations here on what to check? I reviewed all of the CGI settings and they all appear to be correct.

Justin_Elliott · October 29, 2016, 12:44am

Based on more googling I’ve tried adding this to the /etc/httpd/conf/httpd.conf file, and still no changes to the RawHeaders output:

RequestHeader set X-REMOTE-USER %{REMOTE_USER}s

Is there a better event to access the RawHeaders of the session other than Session.Open?

Greg_O_Lone · October 29, 2016, 1:45am

It depends. If you’re using mod_perl, it could also be reusing the cig instances.

Greg_O_Lone · October 29, 2016, 1:50am

You may also want to look at this thread on Stack Overflow:

http://stackoverflow.com/questions/20994329/apache-how-to-get-remote-user-variable

Greg_O_Lone · October 29, 2016, 1:51am

Oh and this Feedback item:

<https://xojo.com/issue/45108>

James_Dooley · October 29, 2016, 8:26am

A basic question that should have been asked and confirmed at the start: is the server authenticating users when they try to access the site? Do you get prompted for the user/password combination.

Assuming it is I’d go with the stackoverflow article suggested above.

Justin_Elliott · November 1, 2016, 5:18pm

Yes, we are using Shib logins (http://weblogin.org/) for user logins. Apache redirects to the login page, cosign handles the login and then returns back to the server the REMOTE_USER.

Justin_Elliott · November 1, 2016, 6:36pm

Still plugging away at this but I’ve confirmed that a basic Perl cgi is getting the correct username on different user logins with a basic HelloWorld.cgi that prints out all of the env’s.

[code]#!/usr/bin/perl -w

use constant TYPE_VALUE => 0;
use constant TYPE_STRUCT => 1;
use constant MAX_CHUNK => 65000;
use constant PACK_KEY => ‘V’;
use strict;

print "Content-Type: text/html

";

Note there is a newline between

this header and Data

Simple HTML code follows

print "
";
print “Hello, world!”;
print "
";
print "
";
print "

Hello, world!

";

foreach my $key (sort(keys(%ENV))) {
print "$key = $ENV{$key}

";
}

print "
";[/code]

This is beginning to feel like something within the Xojo perl launch script for my web app or the Xojo WebFramework with a disconnect or re-init of the REMOTE_USER environment variable.

Justin_Elliott · November 1, 2016, 6:38pm

Forgot to mention: In my previous post the test perl script is only accessible after logging in the same method as the Xojo CGI web app. I kept it as consistent as possible.

Justin_Elliott · November 1, 2016, 7:17pm

I’ve added my comments to the feedback link that Greg posted above. The feedback report says that it was fixed on 9/21/16, but I didn’t see it mentioned as implemented in the 2016r3 release notes. When will the fix be released? R4?

As another test point I’ve adding logging of all env’s in the Session.PrepareSession event and these userid variables get set once and then never change:

REMOTE_USER=justin_elliott HTTP_X_REMOTE_USER=justin_elliott

Again, if I kill the CGI executable that is running and then it gets relaunched it successfully gets the first logged in user’s ID and then never changes again.

apache 46884 0.4 1.2 304592 23944 ? Ssl 14:56 0:05 /var/www/cgi-bin/clmmactools/ProteusMACAddressMapper/ProteusMACAddressMapper --port=34779

Any other ideas?