Apache-AuthCookieURL
view release on metacpan or search on metacpan
AuthCookieURL.pm view on Meta::CPAN
}
sub key {
my $self = shift;
my $r = Apache->request;
my ( $auth_name, $auth_type ) = ( $r->auth_name, $r->auth_type );
my ( $ses_key_cookie ) = ($r->header_in( 'Cookie' ) || '') =~ /${auth_type}_$auth_name=([^;]+)/;
return $ses_key_cookie || $r->notes( 'URI_Session' ) || undef;
}
1;
__END__
=head1 NAME
Apache::AuthCookieURL - Perl Authentication and Authorization
or session management via cookies or URL munging
=head1 SYNOPSIS
In httpd.conf
# Your module that overrides AuthCookieURL methods
PerlModule My::AuthCookieURLHandler
# Or to use simple session generation w/o persistence
#PerlModule Apache::AuthCookieURL
## Some settings -- "Whatever" is set by AuthName ##
# most can be set within <directory> sections
# Send expires with cookie
PerlSetVar WhateverExpires +90d
# Other cookie settings
#PerlSetVar WhateverDomain some.domain
# This can only be set to "/" if using URL sessions
#PerlSetVar WhateverPath /path
#PerlSetVar WhateverSecure 1
# Login script to call
PerlSetVar WhateverLoginScript /login.pl
# Or for just session management without a login script
#PerlSetVar WhateverLoginScript NONE
# Debugging options
#PerlSetVar AuthCookieURLDebug 5
# Disable cookies (only URL based sessions)
#PerlSetVar WhateverNoCookie 1
# Define a string that indicates to AuthCookieURL
# what a session looks like
# This can only be in main config
#PerlSetVar SessionPrefix Session-
# This block enables URL session handling
PerlTransHandler Apache::AuthCookieURLHandler->URLsession
ErrorDocument 302 /MISSING
ErrorDocument 301 /MISSING
<Location /MISSING>
SetHandler perl-script
PerlHandler Apache::AuthCookieURLHandler->error_document
</Location>
<Location /protected>
AuthType Apache::AuthCookieURLHandler
AuthName Whatever
PerlAuthenHandler Apache::AuthCookieURLHandler->authenticate
PerlAuthzHandler Apache::AuthCookieURLHandler->authorize
require valid-user
</Location>
# provide open access to some areas below
<Location /protected/open>
PerlSetVar DisableAuthCookieURL 1
</Location>
# or if the entire directory tree was protected
<Location /images>
PerlSetVar DisableAuthCookieURL 1
</Location>
# Make sure the login script can be run
<Files login.pl>
Options +ExecCGI
SetHandler perl-script
PerlHandler Apache::Registry
</Files>
# LOGIN is the action defined by the login.pl script
<Files LOGIN>
AuthType Apache::AuthCookieURLHandler
AuthName Whatever
SetHandler perl-script
PerlHandler Apache::AuthCookieURLHandler->login
</Files>
# Note: If protecting the entire web site (from root down) then
# the action *must* be C</LOGIN> as the module looks for this string.
# better to just invalidate the session, of course
<Files LOGOUT>
AuthType Apache::AuthCookieURLHandler
PerlSetVar WhateverLogoutURI /
AuthName Whatever
SetHandler perl-script
PerlHandler Apache::AuthCookieURLHandler->logout
</Files>
=head1 DESCRIPTION
** Warning: beta software. This should be used for testing purposes only.
That said, there are a few people using it and I've been using it for a
few months without problem. The interface may change (or disappear) without notice.
Please report any problems or comments back to Bill Moseley E<lt>moseley@hank.orgE<gt>.
This module is a modification of Ken Williams E<lt>ken@forum.swarthmore.eduE<gt> Apache::AuthCookie.
Please see perldoc Apache::AuthCookie for complete instructions. As this is intended to be
a drop-in replacement for Apache::AuthCookie you may wish to install and test with Ken's
Apache::AuthCookie before trying AuthCookieURL.
Basically, this module allows you to catch any unauthenticated access and redirect to a
login script that you define. The login script posts credentials (e.g. username and password)
and your module can then validate and provide a session key. The session key is sent in a cookie,
and also in a munged URL and a redirect is issued and the process starts all over.
Typically, you will write your own module that will override methods in Apache::AuthCookieURL.
These methods are described completely in Ken's Apache::AuthCookie. Your methods will be used
to generate and validate session keys. You can use Apache::AuthCookieURL without overriding
its methods and then AuthCookieURL can be used as a simple session manager.
With this module you should be able to enable session management for an entire site
using E<lt>Location /E<gt>, and then allow access to, say, the images directory, and also require
password access to other locations. One issue at this point is that the session key is
stripped from URLs in a Trans handler. So you would need to use cookies to use different
session keys for different parts of your web tree.
Apache::AuthCookieURL adds the following features to Apache::AuthCookie.
=over 4
=item * URL munging
If the PerlTransHandler is enabled in httpd.conf the session key will also be placed in the URL.
The session will be removed from the URL if cookies are enabled
on the next request. Typically, someone visiting your site with cookies enabled
will never see the munged URL.
To make URL sessions work you must use relative links in your documents so the client/browser
knows to place the session key on all links. CGI scripts can also access the session
information via the environment.
=item * Simple Session Management
If the login script is set to `NONE' with PerlSetVar WhateverLoginScript NONE then
Apache::AuthCookeURL acts like a simple session manager: your module will provide a new
session key if one is not provided with the request, or if the one provided is invalid.
=item * Really Simple Session Management
( run in 2.590 seconds using v1.01-cache-2.11-cpan-39bf76dae61 )