I have a module that I built on my own to handle
user authentication. At the moment, every perl script that I have calls
a method in this module using a cookie (Supplied by browser) as an
argument. Eventually I want to turn this into a mod_perl handler which
instead of returning the autherized user information (in a scalar called $uid)
will add a key to $ENV containing the authorized user id.
However, for the moment I have trouble in that
the $uid variables (or possibly the $cookie variables) are being remembered
between callings of the scripts. This results in unauthenticated users
recieving access t incorrect accounts. (Even authenticated users get
other peoples accounts occasionally).
In short, the module is called
TFile::Authenticate, and it has a "use" line in my mod_perl startup script, to
maximize persistance and minimize compile/load time. Additionally, each
cgi script (for they are still all scripts) "use"s the module.
Basically, the common authorization code in each
script looks something like this:
my $q=new CGI;
my
$cookid=$q->cookie('sessionlid');
if (!(defined($cookid))) {print
"Location: /login.html\r\n\r\n";exit;}
my $uid=eval 'check_auth($cookid);';
#The above line calls the authentication script
which will return a valid $uid or undef if not valid
if (!(defined($uid)))
{print "Location: /login.html\r\n\r\n";exit;}
my
$cookie=$q->cookie(-name=>"sessionlid",-value=>$cookid,-expires=>expdate_auth($cookid));
The scripts then proceed to do their work and
when they return content, contain the command
print STDOUT "Set-Cookie:
$cookie\r\n";
Now I _know_ that some of the variables are being
persistant, because when doing a telnet localhost 80, and requesting a
script, I actually got a response including a cookie for a valid
authentication. Now, I'm still really not sure about
how the persistance works, so I suppose I could just do something
like:
my $uid=undef;
my $cookid=undef;
my $cookie=undef;
...
If I include that at the beginning of all of the scripts, it could work,
but it seems to me to be a bit messy; I'm sure there's a better way.
Additionally, can anyone think of a better way to add a handler to
the existing TFile::Authenticate module for mod_perl scripts, while leaving
the public interfaces open for normal CGI (or any other) scripts?
Thanks,
Issac
Internet is a wonderful mechanism for making a
fool of
yourself in front of a very large audience.
--Anonymous
Moving the mouse won't get you into trouble...
Clicking it might.
--Anonymous
PGP Key 0xE0FA561B -
Fingerprint:
7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA
561B
