NAME
     Apache::ASP - Active Server Pages for Apache (all platforms)

SYNOPSIS
     SetHandler perl-script
     PerlHandler Apache::ASP
     PerlSetVar Global /tmp # must be some writeable directory

DESCRIPTION
    This module provides a Active Server Pages port to Apache.
    Active Server Pages is a web application platform that
    originated with Microsoft's IIS server. Under Apache for both
    Win32 and Unix, it allows a developer to create web applications
    with session management and perl embedded in static html files.

    This is a portable solution, similar to ActiveWare's PerlScript
    and MKS's PScript implementation of perl for IIS ASP. Work has
    been done and will continue to make ports to and from these
    other implementations as seemless as possible.

  INSTALLATION

    Apache::ASP installs easily using the make or nmake commands as
    shown below. Otherwise, just copy ASP.pm to $PERLLIB/site/Apache

     > perl Makefile.PL
     > make 
     > make test
     > make install

     * use nmake for win32

  CONFIG

    Use with Apache. Copy the /eg directory from the ASP
    installation to your Apache document tree and try it out! You
    have to put

     AllowOverride All

    in your <Directory> config section to let the .htaccess file in
    the /eg installation directory do its work.

    If you want a STARTER config file, just look at the .htaccess
    file in the /eg directory.

    Here is a Location directive that you would put in a *.conf
    Apache configuration file. It describes the ASP variables that
    you can set. Don't set the optional ones if you don't want, the
    defaults are fine...

     ##ASP##PERL##APACHE##UNIX##WINNT##ASP##PERL##APACHE##NOT##IIS##ASP##
     ## INSERT INTO Apache *.conf file, probably access.conf
     ##ASP##PERL##APACHE##ACTIVE##SERVER##PAGES##SCRIPTING##FREE##PEACE##

     <Location /asp/>    

     ###########################################################
     ## mandatory 
     ###########################################################

     # Generic apache directives to make asp start ticking.
     SetHandler perl-script
     PerlHandler Apache::ASP

     # Global
     # ------
     # Must be some writeable directory.  Session and Application
     # state files will be stored in this directory, and 
     # as this directory is pushed onto @INC, you will be 
     # able to "use" and "require" files in this directory.
     #
     PerlSetVar Global /tmp  
            
     ###########################################################
     ## optional flags 
     ###########################################################

     # CookiePath
     # ----------
     # Url root that client responds to by sending the session cookie.
     # If your asp application falls under the server url "/ASP", 
     # then you would set this variable to /ASP.  This then allows
     # you to run different applications on the same server, with
     # different user sessions for each application.
     #
     PerlSetVar CookiePath /   

     # AllowSessionState
     # -----------------
     # Set to 0 for no session tracking, 1 by default
     # If Session tracking is turned off, performance improves,
     # but the $Session object is inaccessible.
     #
     PerlSetVar AllowSessionState 1    

     # SessionTimeout
     # --------------
     # Session timeout in minutes (defaults to 20)
     #
     PerlSetVar SessionTimeout 20 

     # Debug
     # -----
     # 1 for server log debugging, 2 for extra client html output
     # Use 1 for production debugging, use 2 for development.
     # Turn off if you are not debugging.
     #
     PerlSetVar Debug 2     

     # BufferingOn
     # -----------
     # default 1, if true, buffers output through the response object.
     # $Response object will only send results to client browser if
     # a $Response->Flush() is called, or if the asp script ends.  Lots of 
     # output will need to be flushed incrementally.
     # 
     # If false, 0, the output is immediately written to the client,
     # CGI style.
     #
     # I would only turn this off if you have a really robust site,
     # since error handling is poor, if your asp script errors
     # after sending only some text.
     #
     PerlSetVar BufferingOn 1

     # StatINC
     # -------
     # default 0, if true, reloads perl libraries that have changed
     # on disk automatically for ASP scripts.  If false, the www server
     # must be restarted for library changes to take effect.
     #
     # A known bug is that any functions that are exported, e.g. confess 
     # Carp qw(confess), will not be refreshed by StatINC.  To refresh
     # these, you must restart the www server.  
     #
     PerlSetVar StatINC 1

     # SessionSerialize
     # ----------------
     # default 0, if true, locks $Session for duration of script, which
     # serializes requests to the $Session object.  Only one script at
     # a time may run, with sessions allowed.
     # 
     # Serialized requests to the session object is the Microsoft ASP way, 
     # but is dangerous in a production environment, where there is risk
     # of long-running or run-away processes.  If these things happen,
     # a session may be locked for an indefinate period of time.  The
     # terrible STOP button, would be easy prey here, where a user
     # keeps hitting stop and reload, and the scripts execute one at a time
     # until finished.  A run-away process would keep the session locked
     # until server restart.
     #
     PerlSetVar SessionSerialize 0

     # SoftRedirect
     # ------------
     # default 0, if true, a $Response->Redirect() does not end the 
     # script.  Normally, when a Redirect() is called, the script
     # is ended automatically.  SoftRedirect 1, is a standard
     # way of doing redirects, allowing for html output after the 
     # redirect is specified.
     #
     SoftRedirect 0

     # NoState
     # -------
     # default 0, if true, neither the $Application nor $Session objects will
     # be created.  Use this for a performance increase.  Please note that 
     # this setting takes precedence over the AllowSessionState setting.
     #
     NoState 0

     </Location>

     ##ASP##PERL##APACHE##UNIX##WINNT##ASP##PERL##APACHE##NOT##IIS##ASP##
     ## END INSERT
     ##ASP##PERL##APACHE##ACTIVE##SERVER##PAGES##SCRIPTING##!#MICROSOFT##

    You can use the same config in .htaccess files without the
    Location tag. I use the <Files ~ (\.asp)> tag in the .htaccess
    file of the directory that I want to run my asp application.
    This allows me to mix other file types in my application, static
    or otherwise.

ASP Syntax
    ASP embedding syntax allows one to embed code in html in 2
    simple ways. The first is the <% xxx %> tag in which xxx is any
    valid perl code. The second is <%= xxx %> where xxx is some
    scalar value that will be inserted into the html directly. An
    easy print.

     A simple asp page would look like:

     <!-- sample here -->
     <html>
     <body>
     For loop incrementing font size: <p>
     <% for(1..5) { %>
            <!-- iterated html text -->
            <font size="<%=$_%>" > Size = <%=$_%> </font> <br>
     <% } %>
     </body>
     </html>
     <!-- end sample here -->

    Notice that your perl code blocks can span any html. The for
    loop above iterates over the html without any special syntax.

The Object Model
    The beauty of the ASP Object Model is that it takes the burden
    of CGI and Session Management off the developer, and puts them
    in objects accessible from any ASP page. For the perl
    programmer, treat these objects as globals accesible from
    anywhere in your ASP application.

     Currently the Apache::ASP object model supports the following:

     Object         --      Function
     ------                 --------
     $Session       --      session state
     $Response      --      output
     $Request       --      input
     $Application   --      application state
     $Server        --      OLE support + misc

    These objects, and their methods are further defined in the
    following sections.

  $Session Object

    The $Session object keeps track of user + web client state, in a
    persistent manner, making it relatively easy to develop web
    applications. The $Session state is stored accross HTTP
    connections, in SDBM_Files in the Global directory, and will
    persist across server restarts.

    The user's session is referenced by a 32-byte md5-hashed cookie,
    and can be considered secure from session_id guessing, or
    session hijacking. When a hacker fails to guess a session, the
    system times out for a second, and with 2**128 (3.4e38) keys to
    guess, a hacker won't be guessing an id any time soon. Compare
    the 32-byte key with Miscrosoft ASP implementation which is only
    16 bytes.

    If an incoming cookie matches a timed out or non-existent
    session, a new session is created with the incoming id. If the
    id matches a currently active session, the session is tied to it
    and returned. This is also similar to Microsoft's ASP
    implementation.

    The $Session ref is a hash ref, and can be used as such to store
    data as in:

     $Session->{count}++;   # increment count by one
     %{$Session} = ();      # clear $Session data

    The $Session object state is implemented through MLDBM &
    SDBM_File, and a user should be aware of MLDBM's limitations.
    Basically, you can read complex structures, but not write them,
    directly:

     $data = $Session->{complex}{data};      # Read ok.
     $Session->{complex}{data} = $data;      # Write NOT ok.
     $Session->{complex} = {data => $data};  # Write ok, all at once.

    Please see MLDBM for more information on this topic. $Session
    can also be used for the following methods and properties:

    $Session->SessionID()
        SessionID property, returns the id number for the current
        session, which is exchanged between the client and the
        server as a cookie.

    $Session->Timeout($minutes)
        Timeout property, if minutes is defined, sets this session's
        default timeout, else returns the current session timeout.
        If a user session is inactive for the full timeout, the
        user's session is destroyed by the system. No one can access
        the session after it times out, and the system garbage
        collects it eventually.

    $Session->Abandon()
        The abandon method times out the session immediately. All
        Session data is cleared in the process, just as when any
        session times out.

  $Response Object

    This object manages the output from the ASP Application and the
    client's web browser. It does store state information like the
    $Session object but does have a wide array of methods to call.

    $Response->{Buffer}
        Default 1, when TRUE sends output from script to client only
        at the end of processing the script. When 0, response is not
        buffered, and client is sent output as output is generated
        by the script.

    $Response->{ContentType} = "text/html"
        Sets the MIME type for the current response being sent to
        the client. Sent as an HTTP header.

    $Response->{Expires} = $time
        Sends a response header to the client indicating the $time
        in SECONDS in which the document should expire. A time of 0
        means immediate expiration. The header generated is a
        standard HTTP date like: "Wed, 09 Feb 1994 22:23:32 GMT".

    $Response->{ExpiresAbsolute} = $date
        Sends a response header to the client with $date being an
        absolute time to expire. Formats accepted are all those
        accepted by HTTP::Date::str2time(), e.g.

         "Wed, 09 Feb 1994 22:23:32 GMT"       -- HTTP format
         "Tuesday, 08-Feb-94 14:15:29 GMT"     -- old rfc850 HTTP format

         "08-Feb-94"         -- old rfc850 HTTP format    (no weekday, no time)
         "09 Feb 1994"       -- proposed new HTTP format  (no weekday, no time)

         "Feb  3  1994"      -- Unix 'ls -l' format
         "Feb  3 17:03"      -- Unix 'ls -l' format

    $Response->AddHeader($name, $value)
        Adds a custom header to a web page. Headers are sent only
        before any text from the main page is sent, so if you want
        to set a header after some text on a page, you must turn
        BufferingOn.

    $Response->AppendToLog($message)
        Adds $message to the server log.

    $Response->BinaryWrite($data)
        Writes binary data to a page for use by client objects.
        Could someone explain this to me? This currently does
        nothing more than a Write($data), since binary data can be
        in a scalar.

    $Response->Clear()
        Erases buffered ASP output.

    $Response->Cookies($name,$key,$value) (alpha)
        Sets the key or attribute of cookie with name $name to the
        value $value. If $key is not defined, then the Value of the
        cookie is assumed. ASP CookiePath is assumed to be / in
        these examples.

         $Response->Cookies("Test Name", "", "Test Value"); 
           [... results in ...]
         Set-Cookie: Test+Name=Test+Value path=/            

         $Response->Cookies("Test", "data1", "test value");     
         $Response->Cookies("Test", "data2", "more test");      
         $Response->Cookies("Test", "Expires", &HTTP::Date::time2str(time() + 86400))); 
         $Response->Cookies("Test", "Secure", 1);               
         $Response->Cookies("Test", "Path", "/");
         $Response->Cookies("Test", "Domain", "host.com");
           [... results in ...]
         Set-Cookie: Test=data1=test+value&data2=more+test; expires=Wed, 09 Feb 1994 22:23:32 GMT; path=/; domain=host.com; secure 

        Because this is perl, you can (NOT PORTABLE) reference the
        cookies directly through hash notation. The same 5 commands
        above could be compressed to:

         $Response->{Cookies}{Test} = { 
                Secure  => 1, 
                Value   => {data1 => 'test value', data2 => 'more test'},
                Expires => 86400, # not portable shortcut, see above for proper use
                Domain  => 'host.com',
                Path    => '/'
                };

        and the first command would be:

         # you don't need to use hash notation when you are only setting 
         # a simple value
         $Response->{Cookies}{'Test Name'} = 'Test Value'; 

        For more information on Cookies, please go to the source at:
        http://home.netscape.com/newsref/std/cookie_spec.html

    $Response->End()
        Sends result to client, and immediately exits script.
        Automatically called at end of script, if not already
        called.

    $Response->Flush()
        Sends buffered output to client and clears buffer.

    $Response->Redirect($url)
        Sends the client a command to go to a different url $url.
        Script immediately ends.

    $Response->{Status} = $status
        Sets the status code returned by the server. Can be used to
        set messages like 500, internal server error

    $Response->Write($data)
        Write output to the HTML page. <%=$data%> syntax is
        shorthand for a $Response->Write($data). All final output to
        the client must at some point go through this method.

  $Request Object

    The request object manages the input from the client brower,
    like posts, query strings, cookies, etc. Normal return results
    are values if an index is specified, or a collection / perl hash
    ref if no index is specified. WARNING, the latter property is
    not supported in Activeware's PerlScript, so if you use the
    hashes returned by such a technique, it will not be portable.

     # A normal use of this feature would be to iterate through the 
     # form variables in the form hash...

     $form = $Request->Form();
     for(keys %{$form}) {
            $Response->Write("$_: $form->{$_}<br>\n");
     }

     # Please see the eg/server_variables.htm asp file for this 
     # method in action.

    $Request->ClientCertificate()
        Not implemented.

    $Request->Cookies($name, $key) (alpha)
        Returns the value of the Cookie with name $name. If a $key
        is specified, then a lookup will be done on the cookie as if
        it were a query string. So, a cookie set by:

         Set-Cookie: test=data1=1&data2=2

        would have a value of 2 returned by $Request-
        >Cookies('test', 'data2').

        If no name is specified, a hash will be returned of cookie
        names as keys and cookie values as values. If the cookie
        value is a query string, it will automatically be parsed,
        and the value will be a hash reference to these values.

    $Request->Form($name)
        Returns the value of the input of name $name used in a form
        with POST method. If $name is not specified, returns a ref
        to a hash of all the form data.

    $Request->QueryString($name)
        Returns the value of the input of name $name used in a form
        with GET method, or passed by appending a query string to
        the end of a url as in http://someurl.com/?data=value. If
        $name is not specified, returns a ref to a hash of all the
        query string data.

    $Request->ServerVariables($name)
        Returns the value of the server variable / environment
        variable with name $name. If $name is not specified, returns
        a ref to a hash of all the server / environment variables
        data. The following would be a common use of this method:

         $env = $Request->ServerVariables();
         # %{$env} here would be equivalent to the cgi %ENV in perl.

  $Application Object

    Like the $Session object, you may use the $Application object to
    store data across the entire life of the application. Every page
    in the ASP application always has access to this object. So if
    you wanted to keep track of how many visitors there where to the
    application during its lifetime, you might have a line like
    this:

     $Application->{num_users}++

    The Lock and Unlock methods are used to prevent simultaneous
    access to the $Application object.

    $Application->Lock()
        Locks the Application object for the life of the script, or
        until UnLock() unlocks it, whichever comes first. When
        $Application is locked, this gaurantees that data being read
        and written to it will not suddenly change on you between
        the reads and the writes.

        This and the $Session object both lock automatically upon
        every read and every write to ensure data integrity. This
        lock is useful for concurrent access control purposes.

        Be careful to not be too liberal with this, as you can
        quickly create application bottlenecks with its improper
        use.

    $Application->UnLock()
        Unlocks the $Application object. If already unlocked, does
        nothing.

  $Server Object

    The server object is that object that handles everything that
    the other objects don't. The best part of the server object for
    Win32 users is the CreateObject method which allows developers
    to create instances of ActiveX components, like the ADO
    component.

    $Server->{ScriptTimeout} = $seconds
        Will not be implemented, please see the Apache Timeout
        configuration option, normally in httpd.conf.

    $Server->CreateObject($program_id)
        Allows use of ActiveX objects on Win32. This routine returns
        a reference to an Win32::OLE object upon success, and
        nothing upon failure. It is through this mechanism that a
        developer can utilize ADO. The equivalent syntax in VBScript
        is

         Set object = Server.CreateObject(program_id)

        For further information, try 'perldoc Win32::OLE' from your
        favorite command line.

    $Server->HTMLEncode($string)
        Returns an HTML escapes version of $string. &, ", >, <, are
        each escapes with their HTML equivalents. Strings encoded in
        this nature should be raw text displayed to an end user, as
        HTML tags become escaped with this method.

    $Server->MapPath($virtual_directory);
        Not implemented

    $Server->URLEncode($string)
        Returns the URL-escaped version of the string $string. +'s
        are substituted in for spaces and special characters are
        escaped to the ascii equivalents. Strings encoded in this
        manner are safe to put in url's... they are especially
        useful for encoding data used in a query string as in:

         $data = $Server->URLEncode("test data");
         $url = "http://localhost?data=$data";

         $url evaluates to http://localhost?data=test+data, and is a 
         valid URL for use in anchor <a> tags and redirects, etc.

EXAMPLES
    Use with Apache. Copy the ./eg directory from the ASP
    installation to your Apache document tree and try it out! You
    have to put

     AllowOverride All

    in your <Directory> config section to let the .htaccess file in
    the /eg installation directory do its work.

    IMPORTANT (FAQ): Make sure that the web server has write access
    to that directory. Usually a

     chmod -R 0777 eg

    will do the trick :)

FAQ
    How do I get things I want done?!
        If you find a problem with the module, or would like a
        feature added, please mail support, as listed below, and
        your needs will be promptly and seriously considered, then
        implemented.

    What is the state of Apache::ASP?  Can I publish a web site on it?
        Apache::ASP has been production ready since v.02. Work being
        done on the module is on a per-need basis, with the goal
        being to eventually have the ASP API completed, with full
        portability to ActiveState's PerlScript and MKS's PScript.
        If you can suggest any changes to facilitate these goals,
        your comments are welcome.

    I am getting a tie or MLDBM / state error message, what do I do?
        Make sure the web server or you have write access to the eg
        directory, or to the directory specified as Global in the
        config you are using. Default for Global is the directory
        the script is in (e.g. '.'), but should be set to some
        directory not under the www server's document root, for
        security reasons, on a production site.

        Usually a

         chmod -R -0777 eg

        will take care of the write access issue for initial testing
        purposes.

        Failing write access being the problem, try upgrading your
        version of Data::Dumper and MLDBM, which are the modules
        used to write the state files.

    How do I access the ASP Objects in general?
        All the ASP objects can be referenced through the main
        package with the following notation:

         $main::Response->Write("html output");

        This notation can be used from anywhere in perl. Only in
        your main ASP script, can you use the normal notation:

         $Response->Write("html output");

    Can I print() in ASP?
        Yes. You can print() from anywhere in an ASP script as it
        aliases to the $Response->Write() method. However, this
        method is not portable (unless you can tell me otherwise :)

SEE ALSO
    perl(1), mod_perl(3), Apache(3), MLDBM(3), HTTP::Date(3),
    CGI(3), Win32::OLE(3)

NOTES
    Many thanks to those who helped me make this module a reality.
    Whoever said you couldn't do ASP on UNIX? Kudos go out to:

     :) Doug MacEachern, for moral support and of course mod_perl
     :) Ryan Whelan, for boldly testing on Unix in its ASP's early infancy
     :) Lupe Christoph, for his immaculate and stubborn testing skills
     :) Bryan Murphy, for being a PerlScript wiz.
     :) Francesco Pasqualini, for bringing ASP to CGI.
     :) Michael Rothwell, for his love of Session hacking.

SUPPORT
    Please send any questions or comments to the Apache modperl
    mailing list at modperl@apache.org or to me at
    chamas@alumni.stanford.org.

COPYRIGHT
    Copyright (c) 1998 Joshua Chamas. All rights reserved. This
    program is free software; you can redistribute it and/or modify
    it under the same terms as Perl itself.