view release on metacpan or  search on metacpan

Session/Session.pm  view on Meta::CPAN

each request (via a PerlInitHandler or whatever) needs to populate
$r->notes('SESSION') with a session to be used _if the user cannot
authenticate_.  If you think through how HTTP authentication and the
Apache API works, you'll see why this needs to happen on every 
request (or correct me if you think I'm wrong). compare_digest_response()
will then, if the user credentials check out, populate $r->notes('SESSION') 
with the session identifier that the user passed back via the headers.

So, when the PerlAuthzHandler, PerlFixupHandler and
PerlHandler are run, $r->notes('SESSION') is the real session id, 
as gleaned from the headers, and _not_ what was placed into it by
the user via a PerlInitHandler or whatever other mechanism one uses
to generate a session.

an alternative interface is to have any handler that wants
the current session identifier instantiate a new 
Apache::AuthDigest::API::Session object and call get_session() on
it instead of diddling with $r->notes().  

as this unfolds and people start to see what is going on, it will
probably take more shape.  There may very well be security implications