Apache-AuthCookieURL

 view release on metacpan or  search on metacpan

AuthCookieURL.pm  view on Meta::CPAN

# These should be overridden in your own module
# Purpose: to provide a default session ID when not using a login script
# Must use with URLsession enabled so initail redirect will see a different url
# in the Location header from the original request.

sub authen_cred ($$\@) {
    my $self = shift;
    my $r = shift;
    my @creds = @_;

    # Normall this would convert credentials into a session key
    

    # A really silly session key.
    return time . $$ . int rand $$;

    # Or return a flag that authen_ses_key can look for
    return 'invalid:account_expired';

    # Or return a message that will be placed in a 'Reason' cookie
    return ('','User Blocked');

AuthCookieURL.pm  view on Meta::CPAN

    $destination ||= $args{destination} || '';

    unless ( $destination ) {
        $r->log_error("No key 'destination' found in posted data");
        return SERVER_ERROR;
    } else {
        $r->log_error("'destination' in posted data = '$destination'") if $debug >= 1;
    }
    

    # Get the credentials from the data posted by the client, if any.

    my @credentials;

    while (exists $args{"credential_" . ($#credentials + 1)}) {

        $r->log_error("credential_" . ($#credentials + 1) . "= '" .
		    $args{"credential_" . ($#credentials + 1)} . "'") if $debug >= 2;

        push(@credentials, $args{"credential_" . ($#credentials + 1)});
    }


    # convert post to get
    
    if ($r->method eq 'POST') {
        $r->method('GET');
        $r->method_number(M_GET);
        $r->headers_in->unset('Content-Length');
    }

    $r->no_cache(1) unless $r->dir_config( $auth_name . 'Cache' );


    # Exchange the credentials for a session key.
    my ($ses_key, $error_message ) = $self->authen_cred($r, @credentials);

    # Would be nice if could somehow go back to original request yet pass info
    # from authen_cred about a failed authentication
    # two ideas: 1) return a session key that authen_ses_key can identify as invalid
    #            2) return a message and place that in a cookie



    # Get the uri so can adjust path, and to redirect including the query string
    my $uri = Apache::URI->parse($r, $destination );

AuthCookieURL.pm  view on Meta::CPAN

That said, there are a few people using it and I've been using it for a
few months without problem.  The interface may change (or disappear) without notice.
Please report any problems or comments back to Bill Moseley E<lt>moseley@hank.orgE<gt>.

This module is a modification of Ken Williams E<lt>ken@forum.swarthmore.eduE<gt> Apache::AuthCookie.
Please see perldoc Apache::AuthCookie for complete instructions.  As this is intended to be
a drop-in replacement for Apache::AuthCookie you may wish to install and test with Ken's
Apache::AuthCookie before trying AuthCookieURL.

Basically, this module allows you to catch any unauthenticated access and redirect to a
login script that you define.  The login script posts credentials (e.g. username and password)
and your module can then validate and provide a session key.  The session key is sent in a cookie,
and also in a munged URL and a redirect is issued and the process starts all over.

Typically, you will write your own module that will override methods in Apache::AuthCookieURL.
These methods are described completely in Ken's Apache::AuthCookie.  Your methods will be used
to generate and validate session keys.  You can use Apache::AuthCookieURL without overriding
its methods and then AuthCookieURL can be used as a simple session manager.

With this module you should be able to enable session management for an entire site
using E<lt>Location /E<gt>, and then allow access to, say, the images directory, and also require

AuthCookieURL.pm  view on Meta::CPAN

Unless you are not subclassing this module (and using the default methods provide),
your own module must define two methods: authen_cred() and authen_ses_key(), and then
subclass by including Apache::AuthCookieURL in your module's @ISA array.
Again, please see Apache::AuthCookie for
complete documentation.

=over 4

=item * authen_cred()

This method verifies the credentials (e.g. username/password) and returns a session key.  If the credentials are
not acceptable then you can return a list, with the second element being an error message
that is placed in a cookie.  This allows your login script to display a failure reason.  This
method is needed since a redirect is done before your login script is executed again.  Of course,
this requires that the client has cookies enabled.

Another method is to return a session key that is really an error code and generate
messages based on that returned session (error) code.

=item * authen_ses_key()

AuthCookieURL.pm  view on Meta::CPAN

=item * WhateverLoginScript

This sets the Login script to be executed when authorization is
required (no valid session key was sent by cookie or URL).  This login script can be a
CGI script, Apache::Registry script, or a mod_perl handler.

If set to `NONE' then AuthCookieURL will be in simple session management mode.
AuthCookieURL-E<gt>login will be called which calls authen_cred() to generate a session key.
authen_cred() should just return a session key without checking the credentials.

If you do not override AuthCookieURL::authen_cred(), then AuthCookieURL::authen_cred()
simply returns this for a session key.

    return time . $$ . int rand $$;

Example: PerlSetVar WhateverLoginScript /login.pl
         PerlSetVar WhateverLoginScript NONE

=item * WhateverNoCookie