Re: AxKit session plugin and automatic login

2007-03-20 Thread Martijn 

Hello.

A month ago, I asked (from another address) how to use
Apache::AxKit::Plugin::Session to make users login automatically upon
returning to the website. Following Matt's advice (thanks) I wrote a
quite simple mod_perl handler that does that.

It uses too much code that is specific to our site to publish the
handler here, but roughly it does the following:
- fetches the cookies using Apache::Cookie
- if we're on the logout page, do nothing;
- if there exists no remember me-cookie, do nothing;
- otherwise: use this cookie find the user in the database;
- set all the global and session variables that are set when logging in;
- and we're done.
The handler always returns 'OK' and it is executed right after the
authenticate handler and before the authorize handler.

Moreover, there are some pages that might contain personal
information. I have built in an extra handler for these pages, that
actually require giving the username and password. To this end,
another session-specific cookie is set when logging in properly that
needs to exists (and, of course, have the correct value) for a user to
access these pages. Otherwise they are redirected to the login page
and have to enter their password.

Thought I'd let you know in case you've got the same problem.

Martijn

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: AxKit session plugin and automatic login

2007-02-21 Thread Matt Sergeant 

[EMAIL PROTECTED] wrote:

Hello.

I'm new to this list (hello) and fairly new in my job, which I took over 
from a regular poster to this list. I've found my way around AxKit pretty 
well, but now I want to make some big changes to the website and I'm 
getting a bit stuck. Perhaps just stuck in my own thoughts, but still, you 
might be able to help me. :)


The website currently logs users off after 30 minutes of inactivity and if 
they come back after that, they need to log in again. We want to make them 
log in automatically upon returning (if they have agreed to that, of 
course). Now it's not very hard to do that, but I want this to be done 
_before_ the server decides whether the user has access to the page at 
all.
We use the Apache::AxKit::Plugin::Session plugin to decide which users can 
see which pages. I would like it to be so that users that use a direct 
link/bookmark to a 'restricted' page to which they have access to, the 
server would log them in, recognize they do have access to the page they 
try to view, process the page and return it to the user('s browser).


Would something like this be possible?


Yes, but I honestly think you'll have to drop out of A:A:P::Session to 
do it. Write your own cookie handler (it's not hard) in basic mod_perl, 
and use that up front of AxKit to determine all this stuff. You then 
have full control and aren't giving anything up to a pre-built framework 
that has pre-conceived ideas about how expiration should work.


When I write stuff like this I usually consult Doug MacEachern's book - 
Writing Apache Modules in Perl and C. It has some very copyable code for 
setting/getting cookies for session data.


Matt.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]