The aim of the cookie example in the eagle book is a bit more than just authentication. Most of the answers here to use a session ID here are quite right for most purposes, but the code in the eagle book offers to store information on the client side with the security of a signature. Its NOT just authentication. This has some advantages for applications which are on more than one server, which have to use an expensive central DB lookup and/or are not connected at all, since the only thing to share is the secret.
This is quite perfect of a decentral intranet. In my last project i did a LARGE single sign on implementation over loads of applications which used those cookies for authentication and for getting the DN and preferred language out of the cookie, all w/o any need of further DB lookups or LDAP requests. Since the logic is quite simple its also possible to parse/check the cookie in tomcat or any other web application and leave the logon to a central server. The secret is then shared over an https connection. By rotating the secret one gets a certain level of security (and automated logout). More or less the eagle book offers the full implementation of a single sign on solution with some nice features already implemented, missing is the secret rotation with more than one secret and some intelligent caching of it (just retrieve anew on a failed signature check e.g. which is in some other cookie module on CPAN?). What its not in my opinion is a simple authentication, its to complicated for that. A simple session ID suffices - and with session IDs there are all those nice things to play as putting them into the DNS, doing some url rewriting with mod_rewrite or just putting them in every URL automagically with some class. >I did not know that you could verify that someone has cookies turned on. >Can you point me to where i can find out how to do this? Is there a >variable that you can check? The ticketlogin example in the eagle book does this by setting a redirect_url cookie before redirecting you to the login page, if this cookie is missing there the - sorry youve no cookies please enable them - page is shown. [EMAIL PROTECTED]
