On Tue, 2003-06-10 at 21:47, Michael L. Artz wrote: > I thought that this was a good way to go since I could protect my entire > application with a single module and a couple lines in the config file, > as opposed to bundling that authentication code into the beginning of > *every* registry script that I write. And, from lurking on the board > for a long time, I got the feeling that this is how everyone is doing it > .... is that a correct assumption?
It is a good way to do it. The confusing bit is your use of $r->user, which is generally part of HTTP basic auth. Cookie-based auth schemes generally just use an ID in the cookie to tie into server-side data. I'm not certain it won't work to use $r->user, but I don't see the point when you already have a unique identifier in the cookie. - Perrin
