<div dir="ltr">Go ahead and remove it. It'll give me a good laugh if someone turns out to need it and we have to add the pragma. :)<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 6, 2020 at 3:14 PM Mark Johnson <<a href="mailto:mark@endpoint.com">mark@endpoint.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 4/6/20 1:23 PM, Mike Heins wrote:<br>
> On Mon, Apr 6, 2020 at 10:46 AM Jon Jensen <<a href="mailto:jon@endpoint.com" target="_blank">jon@endpoint.com</a>> wrote:<br>
> <br>
>> On Sun, 5 Apr 2020, Mike Heins wrote:<br>
>><br>
>>> Certainly could put<br>
>>><br>
>>> if($Pragma->{session_remote_user} and defined $CGI::user and $CGI::user)<br>
>>> {<br>
>>> $host = escape_chars($CGI::user);<br>
>>> }<br>
>>> elsif($Pragma->{session_remote_user} and $CGI::cookieuser) {<br>
>>> $host = $CGI::cookieuser;<br>
>>> }<br>
>>> elsif($CGI::cookiehost) {<br>
>>> $host = $CGI::cookiehost;<br>
>>> }<br>
>>><br>
>>> and allow for any users where this would break them. Though I doubt there<br>
>>> would be any.<br>
>><br>
>> I like that idea if anyone reports breakage, but since<br>
>> "session_remote_user" isn't an existing pragma, someone who needs it<br>
>> probably wouldn't notice it in our release notes and wouldn't use it, so<br>
>> would get breakage anyway. 😊 Might as well just wait till that happens<br>
>> and add it then, and avoid supporting a likely unused feature.<br>
>><br>
>> The only purpose of this behavior that I can think of is that users<br>
>> authenticated with HTTP basic auth can move between IP addresses *and*<br>
>> without a cookie, and not lose their session. Anyone know otherwise?<br>
>><br>
>> Maybe the biggest question is when the last time was that anyone used HTTP<br>
>> basic auth for user authentication at all, much less depended on the<br>
>> session sticking without cookies ...<br>
><br>
> Well, I did use it for a bifurcated admin server that required HTTP Basic<br>
> authorization, but I am guessing that was 2005 or so. :) As I said,<br>
> probably affects no one. I just have always put a workaround in anytime I<br>
> break something instead of leaving it high and dry, but at this point I<br>
> doubt it matters.<br>
<br>
So prospective patches based on both approaches. I'm inclined to full<br>
removal, but am satisfied with either approach since the pragma approach<br>
disables by default.<br>
<br>
Mark<br>
_______________________________________________<br>
interchange-users mailing list<br>
<a href="mailto:interchange-users@interchangecommerce.org" target="_blank">interchange-users@interchangecommerce.org</a><br>
<a href="https://www.interchangecommerce.org/mailman/listinfo/interchange-users" rel="noreferrer" target="_blank">https://www.interchangecommerce.org/mailman/listinfo/interchange-users</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Just because something is obviously happening doesn't mean something<br>obvious is happening. --Larry Wall<br></div></div></div>