Hi mod_perl-ers,
I've been working with the Apache::AuthCookie module, and have made a couple of
modifications that make it more flexible. As an added benefit, the code is now
shorter and simpler. =) I hereby submit the code for discussion and possible
adoption by Eric. Patch attached.
The motivation for this was that I wanted users to be able to access certain
documents whether they're logged in or not. If they're logged in, they should
get a customized version of the document (packages like HTML::Mason make this
easy), and if they're not, they get a generic version. This required two
changes:
- Apache::AuthCookie should be able to recognize whether a user is logged
in, *even for unprotected documents*.
- Since a user can access a document regardless of whether he/she is
logged in, and since the user should be able to log in at any time, the
login procedure should be trigerrable by some means other than simply
accessing a protected document.
The key change is that there's now a URL (I've called it LOGIN) and
corresponding method (Apache::AuthCookie->login()) that handles a user's
initial login. After login, the user is redirected to the page they requested.
This means that the authen() method doesn't have to implement such complicated
logic anymore - if the user sent a cookie, check its validity. If not,
redirect to the login form. That meant I could rip out a lot of the code from
the authen() method.
There's also a new recognize_user() method which checks to see whether a valid
authentication cookie has been sent, and if so, sets $r->connection->user.
As a bonus side-effect, AuthCookie can now authenticate even when the requested
page URL has a non-empty query string (this has been a limitation of
AuthCookie). This is because the redirection URL is now simply sent in the
login form as a hidden field, so it can contain whatever query information it
wants.
It's important to note that these changes are not fully backward-compatible
with previous versions. Some modifications will be required to adopters'
.htaccess files and login forms. Here's what mine look like. The login form
can be on any page, allowing the user to log in at any time:
<form action=LOGIN method=GET>
<input type=hidden name=destination value="<% $current_url %>">
<input type=hidden name=AuthType value="<% $r->auth_type %>">
<input type=hidden name=AuthName value="<% $r->auth_name %>">
username:<br> <input type=text name=credential_0 size=13><br>
password:<br> <input type=password name=credential_1 size=13><br>
<input type=submit name=submit value=login>
</form>
My .htaccess file (in a /listeners/ directory) is as follows. MMAuth is a
subclass of Apache::AuthCookie, implementing the authen_cred() and
authen_ses_key() methods.
AuthType MMAuth
AuthName Listener
PerlSetVar ListenerPath /listeners/
PerlSetVar ListenerLoginScript /listeners/login.pl
PerlSetVar MMSessionExpiration 480
PerlFixupHandler MMAuth->recognize_user
<Files LOGIN>
SetHandler perl-script
PerlHandler MMAuth->login
</Files>
<Files ~ "^protected\.ma$">
PerlAuthenHandler MMAuth->authen
PerlAuthzHandler MMAuth->authz
require valid-user
</Files>
Standard subclasses of Apache::AuthCookie should not require any changes unless
they're wacky (i.e. change more than just the authen_cred() and
authen_ses_key() methods).
------------------- -------------------
Ken Williams Last Bastion of Euclidity
[EMAIL PROTECTED] The Math Forum
patch
