[cgiapp] Authentication Scheme for Old Server

Tue, 09 Dec 2003 12:43:43 -0800

I'm building a new "Account Management" application for our subscribers (we publish trade magazines) and I'm limited by the age of its host server (don't ask ;)). I've been using Apache::AuthCookie on a separate server, but I don't have that luxury, since I only have mod_perl 1.24 and Perl 5.6.1. I noticed Cees' post[1] about CGI::Session::Auth, but that needs Perl 5.8.

So with those constraints in mind, I'd love to get some peer input on a scheme to authenticate access to the "Account Management" app.

I'd like to abstract the authentication outside of the main app itself, so I can use it for another application (and perhaps additional applications in the future, too). Plus, I've read that that's a good practice[2].

So what I have right now is in my main application, which I originally added a cgiapp_prerun method, but then realized I needed to write a wrapper package to subclass to do that, so I instead tacked on the auth call into the setup method:

sub setup {
  my ( $self, $auth );

  $self = shift;
  # ... Typical cgiapp setup stuff ...

$auth = QSR::AccountAuth->new();

  if ( ! $auth->is_valid( $self ) ) {
    return $auth->login();
  }
}

Then I also created another cgiapp (QSR::AccountAuth) to handle the authentication and also act as a cgiapp to do the login page.

Right now, the is_valid method looks something like this:

sub is_valid {
  my ( $cgiapp, $query, $session, $id, $c );
        
  ( undef, $cgiapp) = @_;
  $query = $cgiapp->query;
  $session = new CGI::Session(
      undef, $query, { 'Directory' => '/tmp' }
    );
  $id = $session->id;
  $c = new CGI::Cookie(
      -name     =>   'CGISESSID',
      -value    =>   "$id",
      -expires  =>   '+3M',
      -domain   =>   '.qsrmagazine.com',
      -path     =>   '/',
      -secure   =>   0,
    );
  $cgiapp->header_props( 'cookie' => $c );

  if ( $session->param( '_IS_LOGGED_IN' ) ) {
    return 1;
  } else {
    return 0;
  }
}

I guess my big hangup is understanding the flow and how CGI::Session comes into things. I'm not seeing the cookie set and I'm not seeing the login() method actually being called (I trimmed it down to just a return 0).

Thanks in advance for any help - I guess I'm really asking for someone to clear the fog (or point me in the right direction) on auth schemes using sessions and cookies.

Cheers,

Jason

[1]: http://www.mail-archive.com/[EMAIL PROTECTED]/msg01126.html
[2]: http://www.perl.com/pub/a/2001/06/05/cgi.html#Conclusions_Advanced


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/[EMAIL PROTECTED]/
             http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to