I'm trying to upgrade mod_perl authentication/authorization handlers for 
application menu to be more fine-grained by using cookies.  The basic idea is
- restrict a script alias in httpd.conf with basic authentication calling the 
custon handlers
- validate the user ID/password in the authentication handler, and look up 
role and client access info; stash in cookie.  If a valid cookie is already 
there, authenticat
- in authorization, check for cookie, reset if it's not there, and authorize 
based on role and client information
- in menu app, check for cookie, and configure output depending on user's 
role.

What happens is that even though the browser shows a cookie with the correct 
info, the menu ends up with a "no cookie found" error, and the logs show 
neither the authorization handler nor app are seeing the cookie.  Hitting 
refresh on the menu shows both handlers seeing the cookie and the menu comes 
up correctly.

I've tried using both CGI::Cookie and Apache2::Cookie; I get the same problem 
either way.  Currently the authentication handler sets the cookie as follows:

 my $cookie = Apache2::Cookie->new($r, -name => 'ls_authentication', 
                 value => { user_id => $user, digest => crypt($password, 
$salt), role_id => $ur{role_id}, clients => $client_list });
 if ($cookie) {
       $cookie->bake($r);
 } else {
        warn "Unable to make cookie";
 }
 
I get no warning, and the cookie looks fine in the browser's debug tool, but 
the next handler and app just don't see it.  This is how I try and read it in 
the authorization handler:

        my $jar = Apache2::Cookie::Jar->new($r);
        my $cookie = $jar->cookies('ls_authentication');
        if ($cookie) {
            $have_cookie = 1;
            my %fields = $cookie->value;
            if ($fields{'user_id'}) {
                $user = $fields{'user_id'};
            }
            if ( $fields{'role_id'} ) {
                $user_role = $fields{'role_id'};
            }
            if ( $fields{'clients'} ) {
                @user_clients = split(/,/, $fields{'clients'}); # turn client 
list back into array
            }
            warn "AUTHORIZATION: found cookie, user ID = $user, user role = 
$user_role" if $DEBUG;
        } else {
            warn "AUTHORIZATION: NO COOKIE FOUND" if $DEBUG;
        }


I'm running Perl 5.12.1, Apache 2.2.17 and libapreq2 2.13 built from source.  
Is using 'bake' insufficient to make the cookie visible by the next handler?  
I've tried using both
 $r->err_headers_out->set('Set-Cookie', $cookie);
and
 $r->err_headers_out->addt('Set-Cookie', $cookie);
but I get the same problem.  

Does anyone know of any up to date demos of using cookies in mod_perl2 
authentication handlers?  

Reply via email to