view release on metacpan or  search on metacpan

AuthCookieURL.pm  view on Meta::CPAN

package Apache::AuthCookieURL;
use strict;
use mod_perl qw(1.24 StackedHandlers MethodHandlers Authen Authz);
use Apache::Constants qw(:common M_GET REDIRECT MOVED);
use vars qw($VERSION);
use Apache::URI ();
use Apache::Cookie;

use constant DEBUG  => 'AuthCookieURLDebug';

# $Id: AuthCookieURL.pm,v 1.3 2000/11/21 00:46:01 lii Exp $
$VERSION = sprintf '%d.%03d', q$Revision: 1.3 $ =~ /: (\d+)\.(\d+)/;

#======================== NOTE ============================================

### This module is a modification of Ken Williams <ken@forum.swarthmore.edu>
### Apache::AuthCookie apache module.

# Modified July 14, 2000 to handle munged urls and sessions w/o login
# - use cookies or munged urls for sessions
# - can be used with a login script, or without for simple session management
# - Will create sessions without overriding, if you don't care how unique they are.
# Comments to: Bill Moseley moseley@hank.org

#======================== NOTE ============================================




# These should be overridden in your own module
# Purpose: to provide a default session ID when not using a login script
# Must use with URLsession enabled so initail redirect will see a different url
# in the Location header from the original request.

sub authen_cred ($$\@) {
    my $self = shift;
    my $r = shift;
    my @creds = @_;

    # Normall this would convert credentials into a session key
    

    # A really silly session key.
    return time . $$ . int rand $$;

    # Or return a flag that authen_ses_key can look for
    return 'invalid:account_expired';

    # Or return a message that will be placed in a 'Reason' cookie
    return ('','User Blocked');

}    

sub authen_ses_key ($$$) {
    my ($self, $r, $session) = @_;

    # Validate the session and convert it into REMOTE_USER
    

    # This is using the session key as the REMOTE_USER
    return $session;

    # This returns undef so no REMOTE_USER is set sending back to login form
    # Make sure there IS a login form before doing this.
    return undef;
    
}



sub recognize_user ($$) {
    my ($self, $r) = @_;
    my $debug = $r->dir_config( DEBUG ) || 0;
    my ($auth_type, $auth_name) = ($r->auth_type, $r->auth_name);
    return unless $auth_type && $auth_name;
    # return unless $r->header_in('Cookie');

    
    my ($cookie) = ($r->header_in( 'Cookie' ) || '') =~ /${auth_type}_$auth_name=([^;]+)/;

    # Get session from URI if not set in a cookie
    # (won't likely be here if this isn't a protected doc)
    $cookie ||= $r->notes( 'URI_Session' ) || '';


    $r->log_error("session provided  = '$cookie'" ) if $debug >= 1;

    return OK unless $cookie;

    if (my ($user) = $auth_type->authen_ses_key($r, $cookie)) {
        $r->log_error("recognize user = '$user'") if $debug >= 2;
        $r->connection->user($user);
    }
    return OK;
}


# Transhandler to strip the session from the URL
#
# $r->notes('Session_prefix')      session prefix found in httpd.conf
#                                  also used to idicate to login() that trans handler in use
#
# $r-notes('URI_Session')          is the extracted session.
#                                  authenticate() uses it if no cookie
#
# $r->subprocess_env( 'SESSION' )  is set so cgi scripts can prefix to href links
#
# $r->notes( 'SESSION' )           is set for ErrorDocument fixups - prefix
#                                  Location: headers if exists (might as well use the $ENV{SESSION})