I have a module that I built on my own to handle
user authentication. At the moment, every perl script that I have calls a
method in this module using a cookie (Supplied by browser) as an argument.
Eventually I want to turn this into a mod_perl handler which instead of
returning the autherized user information (in a scalar called $uid) will add a
key to $ENV containing the authorized user id.
However, for the moment I have trouble in that the
$uid variables (or possibly the $cookie variables) are being remembered between
callings of the scripts. This results in unauthenticated users recieving
access t incorrect accounts. (Even authenticated users get other peoples
accounts occasionally).
In short, the module is called TFile::Authenticate,
and it has a "use" line in my mod_perl startup script, to maximize persistance
and minimize compile/load time. Additionally, each cgi script (for they
are still all scripts) "use"s the module.
Basically, the common authorization code in each
script looks something like this:
my $q=new CGI;
my $cookid=$q->cookie('sessionlid'); if (!(defined($cookid))) {print "Location: /login.html\r\n\r\n";exit;} my $uid=eval 'check_auth($cookid);'; #The above line calls the authentication script
which will return a valid $uid or undef if not valid
if (!(defined($uid))) {print "Location: /login.html\r\n\r\n";exit;} my $cookie=$q->cookie(-name=>"sessionlid",-value=>$cookid,-expires=>expdate_auth($cookid)); The scripts then proceed to do their work and when
they return content, contain the command
print STDOUT "Set-Cookie:
$cookie\r\n";
Now I _know_ that some of the variables are being
persistant, because when doing a telnet localhost 80, and requesting a
script, I actually got a response including a cookie for a valid
authentication. Now, I'm still really not sure about
how the persistance works, so I suppose I could just do something
like:
my $uid=undef;
my $cookid=undef;
my $cookie=undef;
...
If I include that at the beginning of all of the scripts, it could work,
but it seems to me to be a bit messy; I'm sure there's a better way.
Additionally, can anyone think of a better way to add a handler to the
existing TFile::Authenticate module for mod_perl scripts, while leaving the
public interfaces open for normal CGI (or any other) scripts?
Thanks,
Issac
Internet is a wonderful mechanism for making a fool
of
yourself in front of a very large audience. --Anonymous Moving the mouse won't get you into trouble... Clicking it might. --Anonymous PGP Key 0xE0FA561B - Fingerprint: 7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B |
- RE: Varaible scope & memory under mod_perl Issac Goldstand
- RE: Varaible scope & memory under mod_perl Steven Zhu
- Re: Varaible scope & memory under mod_perl ed phillips
- [OT] unsubscribing was Re: Varaible scope ... B. Burke
- RE: [OT] unsubscribing was Re: Varaibl... Steven Zhu
- RE: [OT] unsubscribing was Re: Va... Ask Bjoern Hansen
- Re: [OT] unsubscribing was Re: Varaible... Joe Brenner