I'm trying to upgrade mod_perl authentication/authorization handlers for
application menu to be more fine-grained by using cookies. The basic idea is
- restrict a script alias in httpd.conf with basic authentication calling the
custon handlers
- validate the user ID/password in the authentication handler, and look up
role and client access info; stash in cookie. If a valid cookie is already
there, authenticat
- in authorization, check for cookie, reset if it's not there, and authorize
based on role and client information
- in menu app, check for cookie, and configure output depending on user's
role.
What happens is that even though the browser shows a cookie with the correct
info, the menu ends up with a "no cookie found" error, and the logs show
neither the authorization handler nor app are seeing the cookie. Hitting
refresh on the menu shows both handlers seeing the cookie and the menu comes
up correctly.
I've tried using both CGI::Cookie and Apache2::Cookie; I get the same problem
either way. Currently the authentication handler sets the cookie as follows:
my $cookie = Apache2::Cookie->new($r, -name => 'ls_authentication',
value => { user_id => $user, digest => crypt($password,
$salt), role_id => $ur{role_id}, clients => $client_list });
if ($cookie) {
$cookie->bake($r);
} else {
warn "Unable to make cookie";
}
I get no warning, and the cookie looks fine in the browser's debug tool, but
the next handler and app just don't see it. This is how I try and read it in
the authorization handler:
my $jar = Apache2::Cookie::Jar->new($r);
my $cookie = $jar->cookies('ls_authentication');
if ($cookie) {
$have_cookie = 1;
my %fields = $cookie->value;
if ($fields{'user_id'}) {
$user = $fields{'user_id'};
}
if ( $fields{'role_id'} ) {
$user_role = $fields{'role_id'};
}
if ( $fields{'clients'} ) {
@user_clients = split(/,/, $fields{'clients'}); # turn client
list back into array
}
warn "AUTHORIZATION: found cookie, user ID = $user, user role =
$user_role" if $DEBUG;
} else {
warn "AUTHORIZATION: NO COOKIE FOUND" if $DEBUG;
}
I'm running Perl 5.12.1, Apache 2.2.17 and libapreq2 2.13 built from source.
Is using 'bake' insufficient to make the cookie visible by the next handler?
I've tried using both
$r->err_headers_out->set('Set-Cookie', $cookie);
and
$r->err_headers_out->addt('Set-Cookie', $cookie);
but I get the same problem.
Does anyone know of any up to date demos of using cookies in mod_perl2
authentication handlers?
