[Grok-dev] Strange session / security problem with Grok 0.14

[Steve Schmechel]

--- On Fri, 1/16/09, Ivo van der Wijk <vladdrac at gmail.com> wrote:

> From: Ivo van der Wijk <vladdrac at gmail.com>
> Subject: Re: [Grok-dev] Strange session / security problem with Grok 0.14
> To: "Martijn Faassen" <faassen at startifact.com>
> Cc: grok-dev at zope.org
> Date: Friday, January 16, 2009, 11:50 AM
> 2009/1/16 Martijn Faassen <faassen at startifact.com>:
> 
> >> If you every run into a similar issue, make sure
> you're not using
> >> mod_cache. Heck, make sure you're not using
> mod_cache at all :)
> >
> > Is that conclusion because of mod_cache's
> seemingly rather bad
> > misbehavior or are there yet more reasons not to use
> mod_cache? :)
> >
> 
> I remember from the early days of apache 2.0 that mod_cache
> was
> experimental (but supposed to be better than the caching
> mess in 1.x).
> I haven't played with it since - Squid has always been
> way better, but
> now that I've put some more research into mod_cache
> I've heard it just
> doesn't do its job very well. It lacks fine grained
> configuration,
> caches too agressively, etc.
> 
> Perhaps there are setups where mod_cache makes sense but I
> don't think
> apache in front of Zope / Zope3 is one.
> 
> And its current behaviour in this setup confirms this.
> 

To be fair to the Apache people the current Apache 2.2 mod_cache does work.
I am not endorsing it as a solution here.  Just saying that the 2.0 mod_cache was a mess with Zope/Plone, but it was marked "experimental" all through the 2.0 time frame.  (I mostly saw problems with stale content after edits, rather than the authentication issues mentioned here.)

The 2.2 version is not marked experimental and seems to do it's job.
I don't know enough about the alternatives to compare them.  I can just say that using it with mod_rewrite as a front-end to a Zope2 or Zope3 server instance now seems to work.

http://httpd.apache.org/docs/2.2/caching.html


Steve