Hi folks,
I haven't gotten any response about this. My email to Eric Bartley (the author
of Apache::AuthCookie) bounced - does anyone know how to contact him, or
whether there's a new maintainer?
If we can't find him, I suppose we should either make a new module for this
(Apache::CookieAuth?) or find a new maintainer for AuthCookie.
[EMAIL PROTECTED] (Ken Williams) wrote:
>Hi mod_perl-ers,
>
>I've been working with the Apache::AuthCookie module, and have made a
>couple of modifications that make it more flexible. As an added
>benefit, the code is now shorter and simpler. =) I hereby submit the
>code for discussion and possible adoption by Eric. Patch attached.
>
>The motivation for this was that I wanted users to be able to access
>certain documents whether they're logged in or not. If they're logged
>in, they should get a customized version of the document (packages like
>HTML::Mason make this easy), and if they're not, they get a generic
>version. This required two changes:
>
> - Apache::AuthCookie should be able to recognize whether a user is logged
> in, *even for unprotected documents*.
>
> - Since a user can access a document regardless of whether he/she is
> logged in, and since the user should be able to log in at any time, the
> login procedure should be trigerrable by some means other than simply
> accessing a protected document.
>
>The key change is that there's now a URL (I've called it LOGIN) and
>corresponding method (Apache::AuthCookie->login()) that handles a
>user's initial login. After login, the user is redirected to the page
>they requested. This means that the authen() method doesn't have to
>implement such complicated logic anymore - if the user sent a cookie,
>check its validity. If not, redirect to the login form. That meant I
>could rip out a lot of the code from the authen() method.
>
>There's also a new recognize_user() method which checks to see whether
>a valid authentication cookie has been sent, and if so, sets
>$r->connection->user.
>
>
>As a bonus side-effect, AuthCookie can now authenticate even when the
>requested page URL has a non-empty query string (this has been a
>limitation of AuthCookie). This is because the redirection URL is now
>simply sent in the login form as a hidden field, so it can contain
>whatever query information it wants.
>
>
>It's important to note that these changes are not fully backward-compatible
>with previous versions. Some modifications will be required to adopters'
>..htaccess files and login forms. Here's what mine look like. The login form
>can be on any page, allowing the user to log in at any time:
>
> <form action=LOGIN method=GET>
> <input type=hidden name=destination value="<% $current_url %>">
> <input type=hidden name=AuthType value="<% $r->auth_type %>">
> <input type=hidden name=AuthName value="<% $r->auth_name %>">
> username:<br> <input type=text name=credential_0 size=13><br>
> password:<br> <input type=password name=credential_1 size=13><br>
> <input type=submit name=submit value=login>
> </form>
>
>My .htaccess file (in a /listeners/ directory) is as follows. MMAuth is a
>subclass of Apache::AuthCookie, implementing the authen_cred() and
>authen_ses_key() methods.
>
>
> AuthType MMAuth
> AuthName Listener
> PerlSetVar ListenerPath /listeners/
> PerlSetVar ListenerLoginScript /listeners/login.pl
> PerlSetVar MMSessionExpiration 480
> PerlFixupHandler MMAuth->recognize_user
>
> <Files LOGIN>
> SetHandler perl-script
> PerlHandler MMAuth->login
> </Files>
>
> <Files ~ "^protected\.ma$">
> PerlAuthenHandler MMAuth->authen
> PerlAuthzHandler MMAuth->authz
> require valid-user
> </Files>
>
>Standard subclasses of Apache::AuthCookie should not require any
>changes unless they're wacky (i.e. change more than just the
>authen_cred() and authen_ses_key() methods).
>
>
>
> ------------------- -------------------
> Ken Williams Last Bastion of Euclidity
> [EMAIL PROTECTED] The Math Forum
------------- -------------
Ken Williams Tech Mirror Music
[EMAIL PROTECTED] http://www.mirrormusic.com
