forbidden vs. cookie

[will trillich]

i could really use some dumbed-down tips on setting cookies
during a redirect. boy, this is really getting to me.

using apache 1.3.9 on debian 2.2/potato

in trying to implement the concept of the Apache::Ticket*.pm
modules from the Apache Modules (eagle) book in chapter 6
(on pages 304+) i'm running into browser compatibility problems.
SOME browsers (differs among platforms, too) see the forbidden or
redirect codes and take action immediately, ignoring any
set-cookie headers that are also sent.

as a workaround, i was trying to change TicketAccess.pm to

        # the munged version trying to accomodate rude browsers:
        package Apache::TicketAccess;

        use strict;
        use Apache::Constants qw(OK FORBIDDEN REDIRECT);
        use Apache::TicketTool ();

        sub handler {
                my $r = shift;
                my $ticketTool = Apache::TicketTool->new($r);
                my($result, $msg) = $ticketTool->verify_ticket($r);
                unless ($result) {
                        $r->log_reason($msg, $r->filename);
                        my $cookie = $ticketTool->make_return_address($r);

        #the original code that works for SOME browsers:
        #               $r->err_headers_out->add('Set-Cookie' => $cookie);
        #               return FORBIDDEN;

                        my $login_uri = $r->dir_config("TicketLogin");

        # as AccessHandler, this was very much a bad idea:
        #               use CGI '-autoload';
        #               print
        #                       header(-refresh => "1; URL=$login_uri", -cookie => 
$cookie),
        #                       start_html(-title => 'Redirecting to login', -bgcolor 
=> 'white'),
        #                       h1('Gotta log in, first'),
        #                       p("You're being redirected to ",
        #                               a({-href=>$login_uri},$login_uri),
        #                               " in just a moment."),
        #                       h2("Please stand by..."),
        #                       end_html();
        #               return OK;
        # it does manage to redirect the browser but there's lots
        # of duplicated headers and garbage (plus just hitting the
        # BACK button bypassed the need to log in)

        # this don't work so not, neither:
                        $r->header_out(-cookie=>$cookie);
                        $r->header_out(-location=>$login_uri);
                        return REDIRECT;
        # neither header is sent.

                }
                return OK;
        }

        1;
        __END__

i've spent hours flipping back and from from the index to the
text, slapping postit notes on every other page, scanning
Apache::*.pm source code -- and it's still not sinking in... a
little help would be appreciated!

AAUGH!

-- 
[EMAIL PROTECTED]