AuthCookie access denied messages
Before I tackle this myself, has anyone added functionality to AuthCookie so that it will report *why* a user is being asked to login? Currently, if a user enters in a wrong username or password, they just get redirected back to the login form with no explanation. Thanks, --David
Re: AuthCookie access denied messages
David Young wrote on Mon, Aug 20 2001 (12:36:19 -0400): Before I tackle this myself, has anyone added functionality to AuthCookie so that it will report *why* a user is being asked to login? Currently, if a perldoc Apache::AuthCookie /AuthCookieReason cu, -- Toni Andjelkovic [EMAIL PROTECTED]
Re: AuthCookie access denied messages
you can set these in yourself by overwriting
the AuthCookie Response method
you should catch these in your
own subs and send back messages
for instance
in my Auth.pm authen_ses_key sub
[ snip ]
In addition to that, what I found confusing was actually getting authen_ses_key to be
called in the first place, after a failed login attempt.
The stock authen_cred returns data that will be loaded into a cookie only if
authentication is successful. To get authen_ses_key to be called after an
unsuccessful attempt, your authen_cred needs to do this:
if ( check_creds() ) {
# make a ticket, start a session, etc
return $valid_ticket_data;
}
else {
return oops; # make sure we never accept this as a valid cookie!
}
Now authen_ses_key gets called and AuthCookie will set AuthCookieReason to bad_cookie
if you return undef. Also, you now have a chance to set other environment variables.
...Steve
--
Steve van der Burg
Information Services
London Health Sciences Centre
(519) 685-8300 ext 35559
[EMAIL PROTECTED]
Re: AuthCookie access denied messages
David Young wrote:
Before I tackle this myself, has anyone added functionality to AuthCookie so
that it will report *why* a user is being asked to login? Currently, if a
user enters in a wrong username or password, they just get redirected back
to the login form with no explanation.
Thanks,
--David
you can set these in yourself by overwriting
the AuthCookie Response method
you should catch these in your
own subs and send back messages
for instance
in my Auth.pm authen_ses_key sub
if ($checks ne 1 ||$id eq '') {
$r-subprocess_env('AuthCookieReason2', 'does not check or you have
no id');
return '';
}
else {
return $creds[0];
}
then in login.cgi
my $error=$r-prev-subprocess_env('AuthCookieReason2')
|| $r-prev-subprocess_env('AuthCookieReason');
i then just put this erro in as a template param
which handles
my error or else give default 'no cookie one'
hope that helps
also you might wanna try setting
PerlSetVar AuthCookieDebug 3
for longer messages in logs till you get then hang of it
Re: AuthCookie access denied messages
Hi there, On Mon, 20 Aug 2001, David Young wrote: Before I tackle this myself, has anyone added functionality to AuthCookie so that it will report *why* a user is being asked to login? Currently, if a user enters in a wrong username or password, they just get redirected back to the login form with no explanation. It's generally considered a security hole to report things like invalid user id to a user who fails to get a login, because when he finally gets invalid password he knows he's got a valid user id... 73, Ged.
Re: AuthCookie access denied messages
Agreed, however I'd like to at least say The username and/or password you entered was not recognized. From: Ged Haywood [EMAIL PROTECTED] Date: Tue, 21 Aug 2001 00:36:33 +0100 (BST) To: David Young [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: AuthCookie access denied messages It's generally considered a security hole to report things like invalid user id to a user who fails to get a login, because when he finally gets invalid password he knows he's got a valid user id... 73, Ged.
