I've been self-debating a small issue for a small
project that I'm developing, and thought I'd pass it on to see if I can get any
feedback from the experts in the field: I have a pair of login/logout CGI
scripts on a machine that I recently "bumped" from mod_cgi to mod_perl.
They set/removed a cookie that as a key in Jeffery Baker's wonderful
Apache::Session module, which I used as a base for my own authentication module
(and if Jeffery is reading this, I'd love your feedback about it...).
Now, since I am using mod_perl, I've set up my module to be pre-loaded to keep a
persistant connection to my session database (the connections to the
authentication [via user/password] database is only done in the login
script).
It seems to me that I _ought_ to try to squeeze a
bit more out of mod_perl by assigning a handler during some stage of the server
request to do the cookie authentication and then, instead of my scripts checking
with the authentication module, I can set an %ENV variable with the
authentication results, for later parsing by the scripts.
So, firstly, where is the best place to put the
handler? Logic would suggest the _authentication_ stage, of course, but
I'm still a tiny bit too newbie too know exactly how I'd have to set up the
.htaccess & .htpasswd files, let alone what kind of response I have to
send back to the server. (Links to the mod_perl Guide are fine for
answering this. I have, truth to tell, not quite finished reading the
whole thing, but I have people pressuring me to fix the login buisness which, as
a result of moving to mod_perl, is now quite a mess so I'm doing the unthinkable
and asking even though I have not read every bit of documentation
:-})
Secondly, there are one or two scripts that have a
"guest" login. The way this works, in short, is that authentication is
pre-generated and coupled with other "challenge tokens", which are all passed as
part of the URI. This would obviously have to bypass the "normal"
login/authentication handlers. The solution which leaps to my head is
doable, if a bit crude: make a special aliased directory for
guest-login-related scripts (actually only the original authentication [eg,
first request] has to be via URI; I can switch to normal cookie based beyond
that). But I'd really like to hear what people who've been developing
mod_perl 'application's for more then just a few weeks would say.
Thanks,
Issac
BTW: For the experts here, I must say that
I'm really impressed with the mod_perl mailing list in general. I find
that I'm learning almost as much from here as I do from the guide and manpages,
and I am most impressed at the general attitude towards newbies. I've been
a newbie, and a regular, on many technical mailing lists, but almost never seen
that John Q. Newbie got decent attention on most of them. I just felt that
gratitude ought to be expressed where it is due.
Internet is a wonderful mechanism for making a fool
of
yourself in front of a very large audience. --Anonymous Moving the mouse won't get you into trouble... Clicking it might. --Anonymous PGP Key 0xE0FA561B - Fingerprint: 7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B |
- Re: The right way to do authentication with mod_perl Issac Goldstand