Jeff wrote:
> Forgive a mod_perl newbie for non mod_perl thinking, but this
> is (a simplified overview) of how I would approach this:
>
> request for any protected page
> - if no existing session data [so not authenticated]
> create new session
> remember target page in session
> redirect to login page
> otherwise
> allow access to page
Yes, this is exactly how AuthCookie works.
> login page POST with user id / password.
> - if ( valid user / password )
> add user info to session
AuthCookie sessions don't also carry user info, but that's why I create
an Apache::Session to do it.
> expire previous session [id was saved in db]
Right-o. How to expire an otherwise valid AuthCookie session is the
question.
>[snip]
> If someone now tries to come back with an old session id,
> there is no data in the session, so they will be considered
> un-authenticated, and will get redirected to login page.
If someone comes in with an old active session (assuming it's not
expired) AuthCookie examines the MD5 hash and says "everything matches
up, you may proceed". I need to add a step here to say "if newer
session for user exists, kill this one". But you've just given me a
great idea! When the old session comes in, there will still be data in
the session (because the new session is using it - sessions are keyed by
user id, not session id). So I can't rely on an empty session data to
be the clue. BUT - I can store the session key that generated this
session data in with the session data, and try to match those up. I
like it. This will work, I think. Thank you. =) Why do I use the user
id instead of the session id for the session key? Because it makes the
code easier for other developers ("a user will always have a session
with the key $r->connection->user") and that gets passed around
automatically rather than me having to expose the developers to the
AuthCookieDBI cookie directly. I just find it easier to rely on
$r->connection->user to always be the session key.
> [snip]
> I can see two issues with this approach:
> 1) login ping-pong. Two users using the same id/password will
> be logging each other out as they log in (but this seems
> to be what you want?)
Yes, or at least a page saying "you're logged in elsewhere, do you want
to ax that one and continue, or abort this login". Even a forced logout
of the older one without the user knowing is fine.
> 2) it does not prevent the user from having the same pages
> open multiple times within the same browser instance
> (eg when the user presses Ctrl-N after having logged in)
This is ok, because we're more concerned with an unmanned, logged-in
station. If they want 5 browser windows, they can go nuts.
Thanks for the dialog, Jeff! I think that clue you gave me above is
what I need. The confusion is again because AuthCookie and
Apache::Session both call themselves sessions. AuthCookie does the
authentication, Apache::Session holds the user data. So I need to write
the piece that coordinates the cleanup of old sessions between the two.
-Fran
