On 14/12/05, Aaron Trevena <[EMAIL PROTECTED]> wrote:
> On 13/12/05, Bill Broomall <[EMAIL PROTECTED]> wrote:
> > Has anyone succeeded in running a Maypole application using mod_perl and
> > Maypole::Plugin::Authentication::UserSessionCookie in either of the
> > following situations:
>
> I'll post some examples when I have time to fish them out of my laptop.
As promised - here is the code I currently use :
sub authenticate {
my ($self, $r) = @_;
$r->get_user;
return OK if $r->{user};
$r->template("login");
$r->{ar}->warn('should be login screen now');
return OK;
}
sub get_user {
my $r = shift;
my $ar = $r->{ar};
$r->{ar}->warn('[DEBUG] get_user called');
my ($sid,$user);
my %jar = Apache::Cookie->new($ar)->parse;
if (exists $jar{admin_session}) { $sid = $jar{admin_session}->value(); }
$sid = undef unless $sid; # Clear it, as 0 is a valid sid.
my $new = !(defined $sid);
if ($new) {
# Go no further unless login credentials are right.
$ar->warn("credentials : ", $r->{params}{user} ,':',
$r->{params}{password});
if ( $r->{params}{user} && $r->{params}{password} ) {
$user =
Application::User->retrieve_from_authentication(username=>$r->{params}{user},
password=>$r->{params}{password});
}
$r->template('frontpage') if ($user);
return 0 unless $user;
} else {
return 0 unless $sid;
$ar->warn("getting user from sid : $sid\n");
# Grab the user object from the session data.
$user = Application::User->retrieve_from_session($sid,'admin');
return 0 unless $user;
}
if ($new && $user) {
# Store the userid, and bake the cookie
$sid = $user->new_session('admin');
my $cookie = Apache::Cookie->new($ar,
-name => "admin_session",
-value => $sid,
-expires => '+1h',
-path => "/"
);
$cookie->bake();
}
$r->{user} = $user;
return 1;
}
There are two methods it uses there that I haven't included, the first
does a simple search with a md5 crypt of the password provided
together with the username - I tend to always store encrypted
passwords for users, the first retrieves the user from the session id
- with some basic checks included to avoid spoofing - i.e. md5 sum
session id concationated with user_id and substring of encrypted
password. I also use multiple levels of authorisation and so pass
option authorisation level together with the username and password
(and store the authorisation level in the session info)
If you don't have those checks in place, both method calls could
instead be standard CDBI search calls to the class using either
session id or username/password.
the logout functionality on the wiki JustWorks(TM), but if you are
using the database you'll want to delete the session entries as well
as clearing the cookie.
You may also want to set expiry times for the session in the session
record itself if you a) don't trust the client to not expire a cookie
when requested and b) want to regularly removed old unused sessions
from your database.
Cheers,
A.
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id�865&op=click
_______________________________________________
Maypole-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/maypole-users
