I've been messing around with some wacky PerlAccessHandler and
PerlAuthenHandler code lately, if Apache::AuthCookie is orphaned I might
want to fix it up. Last I looked, it's tests choked on "Undefined
subroutine &Apache::perl_hook" ...IIRC that means it's not current. Is
anybody using it in production with recent mod_perl's??
Meanwhile, back at the ranch...
> Hi folks,
>
> I haven't gotten any response about this. My email to Eric Bartley (the author
> of Apache::AuthCookie) bounced - does anyone know how to contact him, or
> whether there's a new maintainer?
>
> If we can't find him, I suppose we should either make a new module for this
> (Apache::CookieAuth?) or find a new maintainer for AuthCookie.
>
>
> [EMAIL PROTECTED] (Ken Williams) wrote:
> >Hi mod_perl-ers,
> >
> >I've been working with the Apache::AuthCookie module, and have made a
> >couple of modifications that make it more flexible. As an added
> >benefit, the code is now shorter and simpler. =) I hereby submit the
> >code for discussion and possible adoption by Eric. Patch attached.
> >
> >The motivation for this was that I wanted users to be able to access
> >certain documents whether they're logged in or not. If they're logged
> >in, they should get a customized version of the document (packages like
> >HTML::Mason make this easy), and if they're not, they get a generic
> >version. This required two changes:
> >
> > - Apache::AuthCookie should be able to recognize whether a user is logged
> > in, *even for unprotected documents*.
> >
> > - Since a user can access a document regardless of whether he/she is
> > logged in, and since the user should be able to log in at any time, the
> > login procedure should be trigerrable by some means other than simply
> > accessing a protected document.
> >
> >The key change is that there's now a URL (I've called it LOGIN) and
> >corresponding method (Apache::AuthCookie->login()) that handles a
> >user's initial login. After login, the user is redirected to the page
> >they requested. This means that the authen() method doesn't have to
> >implement such complicated logic anymore - if the user sent a cookie,
> >check its validity. If not, redirect to the login form. That meant I
> >could rip out a lot of the code from the authen() method.
> >
> >There's also a new recognize_user() method which checks to see whether
> >a valid authentication cookie has been sent, and if so, sets
> >$r->connection->user.
> >
> >
> >As a bonus side-effect, AuthCookie can now authenticate even when the
> >requested page URL has a non-empty query string (this has been a
> >limitation of AuthCookie). This is because the redirection URL is now
> >simply sent in the login form as a hidden field, so it can contain
> >whatever query information it wants.
> >
> >
> >It's important to note that these changes are not fully backward-compatible
> >with previous versions. Some modifications will be required to adopters'
> >..htaccess files and login forms. Here's what mine look like. The login form
> >can be on any page, allowing the user to log in at any time:
> >
> > <form action=LOGIN method=GET>
> > <input type=hidden name=destination value="<% $current_url %>">
> > <input type=hidden name=AuthType value="<% $r->auth_type %>">
> > <input type=hidden name=AuthName value="<% $r->auth_name %>">
> > username:<br> <input type=text name=credential_0 size=13><br>
> > password:<br> <input type=password name=credential_1 size=13><br>
> > <input type=submit name=submit value=login>
> > </form>
> >
> >My .htaccess file (in a /listeners/ directory) is as follows. MMAuth is a
> >subclass of Apache::AuthCookie, implementing the authen_cred() and
> >authen_ses_key() methods.
> >
> >
> > AuthType MMAuth
> > AuthName Listener
> > PerlSetVar ListenerPath /listeners/
> > PerlSetVar ListenerLoginScript /listeners/login.pl
> > PerlSetVar MMSessionExpiration 480
> > PerlFixupHandler MMAuth->recognize_user
> >
> > <Files LOGIN>
> > SetHandler perl-script
> > PerlHandler MMAuth->login
> > </Files>
> >
> > <Files ~ "^protected\.ma$">
> > PerlAuthenHandler MMAuth->authen
> > PerlAuthzHandler MMAuth->authz
> > require valid-user
> > </Files>
> >
> >Standard subclasses of Apache::AuthCookie should not require any
> >changes unless they're wacky (i.e. change more than just the
> >authen_cred() and authen_ses_key() methods).
> >
> >
> >
> > ------------------- -------------------
> > Ken Williams Last Bastion of Euclidity
> > [EMAIL PROTECTED] The Math Forum
>
> ------------- -------------
> Ken Williams Tech Mirror Music
> [EMAIL PROTECTED] http://www.mirrormusic.com
>
>
>
--
Salon Internet http://www.salon.com/
HTTP mechanic, Perl diver, Mebwaster, Some of the above
Ian Kallen <[EMAIL PROTECTED]> / AIM: iankallen / Fax: (415) 354-3326
