>I am having some trouble getting Apache::AuthCookie (version 3 which i
>believe is the latest version) to do what want:
>What i want is:
>* To be able to give the user a reson if login fails
> - eg reason: * "No such username"
> * "Your password was incorrect"
>Has anyone else come across the same requirement/issue, and how have you
>solved it?
I banged my head up against this same wall for awhile until, by reading
AuthCookie's source, I was able to figure out the key to making it all
work. In authen_cred (stripped-down example below), you need to set
a cookie with a value that your ticket-checking code will know is
invalid when you are given invalid credentials.
But, in the interest of security, you don't want to say things like "no
such username" and "incorrect password" - that just gives extra
information to someone trying to hack their way in.
sub authen_cred ($$\@) {
my $self = shift;
my $r = shift;
my ($user,$pass) = @_;
if ( check_creds($user,$pass) ) {
# user's credentials are good, so generate ticket, log session, etc
return "$user:$ticket";
}
else {
# Modify this (and the code above) if you want more shades of
# meaning here.
return "oops";
}
}
Then, in authen_ses_key:
sub authen_ses_key ($$$) {
my $self = shift;
my $r = shift;
my($user,$ticket) = split(/:/,shift,2);
my $retval;
return undef unless $user && $ticket;
if ( # ticket is good...
$retval = # something indicating ticket is good...
}
else {
# ticket is bad, so tell the login program/form about it...
$r->subprocess_env('LocalAuthFailure','mumble') if ...;
}
# I also detect an expired session and indicate it like this:
$r->subprocess_env('LocalAuthFailure','expired') unless $retval;
if ( $retval ) {
my $auth_name = $r->auth_name;
# etc...
}
}
After all that, your login program/form just reads "LocalAuthFailure"
and acts appropriately:
my ($reason,$detail);
if ( $r->prev ) {
$reason = $r->prev->subprocess_env("AuthCookieReason");
$detail = $r->prev->subprocess_env("LocalAuthFailure");
}
#...
# Possibly set an error string:
my $error;
$error = "Authentication error. Please try again."
if $reason =~ /bad/;
$error = "Your session has expired. Please reauthenticate."
if $reason =~ /bad/ && $detail =~ /expire/;
# Now interpolate $error into the HTML we send to the browser
my $form = <<HERE;
<html>
<head>
...
$error
...
I hope that these code snippets are enough to get you started.
...Steve
--
Steve van der Burg
Information Services
London Health Sciences Centre
(519) 685-8300 ext 35559
[EMAIL PROTECTED]
