RE: [cgiapp] OT: apache logout and a javascript question

Tue, 02 May 2006 13:08:18 -0700 

Hi Michael

> This could work though I don't know how to set and check cookies from
> an authz handler. I'll think about it...

Thinking about it, you don't need the Basic Authentication login box - Just
write your own login page using standard HTML.
 
1. Have your login function generate a cookie when the user logs in

2. The cookie will be a concatenation of username, login time, and an MD5
hash of the username, login time and a secret key. e.g.

Login cookie value = bob|2006-05-03T11:45|5d41402abc4b2a76b9719d911017c592

3. In your mod_perl PerlAuthenHandler, check for the cookie and its validity

my %cookies = Apache::Cookie->fetch();
$login   = $cookies{'login'}->value if (exists($cookies{'login'}));

if ($login =~ /^(.*)\|(.*)\|(.*)$/) {    
       my $ch_user  = $1;
       my $ch_login = $2;
       my $ch_hash  = $3;

       return OK if (md5_hex($ch_user.$ch_login.$secret_key) eq $ch_hash);
}

$r->no_cache(1);
$r->header_out(Location => $purchase_server);
return REDIRECT;

Note that you've bypassed all the basic authentication realm stuff, so users
can be truly logged out when they've finished

Dan

> -----Original Message-----
> From: Michael Lackhoff [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, 3 May 2006 1:00 a.m.
> To: Dan Horne; [email protected]
> Subject: RE: [cgiapp] OT: apache logout and a javascript question
> 
> On 2 May 2006 at 23:07, Dan Horne wrote:
> 
> > How about setting a cookie when the user logs in - so an authenticated
> user
> > will have both the basic credentials and the cookie - i.e. your
> > authentication handler will check that both are provided. Delete the
> cookie
> > when the user logs out.
> 
> This could work though I don't know how to set and check cookies from
> an authz handler. I'll think about it...
> 
> Thanks,
> Michael
> 
> 
> ---------------------------------------------------------------------
> Web Archive:  http://www.mail-archive.com/[email protected]/
>               http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/[email protected]/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to