I'm trying to upgrade mod_perl authentication/authorization handlers for application menu to be more fine-grained by using cookies. The basic idea is - restrict a script alias in httpd.conf with basic authentication calling the custon handlers - validate the user ID/password in the authentication handler, and look up role and client access info; stash in cookie. If a valid cookie is already there, authenticat - in authorization, check for cookie, reset if it's not there, and authorize based on role and client information - in menu app, check for cookie, and configure output depending on user's role.
What happens is that even though the browser shows a cookie with the correct info, the menu ends up with a "no cookie found" error, and the logs show neither the authorization handler nor app are seeing the cookie. Hitting refresh on the menu shows both handlers seeing the cookie and the menu comes up correctly. I've tried using both CGI::Cookie and Apache2::Cookie; I get the same problem either way. Currently the authentication handler sets the cookie as follows: my $cookie = Apache2::Cookie->new($r, -name => 'ls_authentication', value => { user_id => $user, digest => crypt($password, $salt), role_id => $ur{role_id}, clients => $client_list }); if ($cookie) { $cookie->bake($r); } else { warn "Unable to make cookie"; } I get no warning, and the cookie looks fine in the browser's debug tool, but the next handler and app just don't see it. This is how I try and read it in the authorization handler: my $jar = Apache2::Cookie::Jar->new($r); my $cookie = $jar->cookies('ls_authentication'); if ($cookie) { $have_cookie = 1; my %fields = $cookie->value; if ($fields{'user_id'}) { $user = $fields{'user_id'}; } if ( $fields{'role_id'} ) { $user_role = $fields{'role_id'}; } if ( $fields{'clients'} ) { @user_clients = split(/,/, $fields{'clients'}); # turn client list back into array } warn "AUTHORIZATION: found cookie, user ID = $user, user role = $user_role" if $DEBUG; } else { warn "AUTHORIZATION: NO COOKIE FOUND" if $DEBUG; } I'm running Perl 5.12.1, Apache 2.2.17 and libapreq2 2.13 built from source. Is using 'bake' insufficient to make the cookie visible by the next handler? I've tried using both $r->err_headers_out->set('Set-Cookie', $cookie); and $r->err_headers_out->addt('Set-Cookie', $cookie); but I get the same problem. Does anyone know of any up to date demos of using cookies in mod_perl2 authentication handlers?