Jeff wrote: > Forgive a mod_perl newbie for non mod_perl thinking, but this > is (a simplified overview) of how I would approach this: > > request for any protected page > - if no existing session data [so not authenticated] > create new session > remember target page in session > redirect to login page > otherwise > allow access to page
Yes, this is exactly how AuthCookie works. > login page POST with user id / password. > - if ( valid user / password ) > add user info to session AuthCookie sessions don't also carry user info, but that's why I create an Apache::Session to do it. > expire previous session [id was saved in db] Right-o. How to expire an otherwise valid AuthCookie session is the question. >[snip] > If someone now tries to come back with an old session id, > there is no data in the session, so they will be considered > un-authenticated, and will get redirected to login page. If someone comes in with an old active session (assuming it's not expired) AuthCookie examines the MD5 hash and says "everything matches up, you may proceed". I need to add a step here to say "if newer session for user exists, kill this one". But you've just given me a great idea! When the old session comes in, there will still be data in the session (because the new session is using it - sessions are keyed by user id, not session id). So I can't rely on an empty session data to be the clue. BUT - I can store the session key that generated this session data in with the session data, and try to match those up. I like it. This will work, I think. Thank you. =) Why do I use the user id instead of the session id for the session key? Because it makes the code easier for other developers ("a user will always have a session with the key $r->connection->user") and that gets passed around automatically rather than me having to expose the developers to the AuthCookieDBI cookie directly. I just find it easier to rely on $r->connection->user to always be the session key. > [snip] > I can see two issues with this approach: > 1) login ping-pong. Two users using the same id/password will > be logging each other out as they log in (but this seems > to be what you want?) Yes, or at least a page saying "you're logged in elsewhere, do you want to ax that one and continue, or abort this login". Even a forced logout of the older one without the user knowing is fine. > 2) it does not prevent the user from having the same pages > open multiple times within the same browser instance > (eg when the user presses Ctrl-N after having logged in) This is ok, because we're more concerned with an unmanned, logged-in station. If they want 5 browser windows, they can go nuts. Thanks for the dialog, Jeff! I think that clue you gave me above is what I need. The confusion is again because AuthCookie and Apache::Session both call themselves sessions. AuthCookie does the authentication, Apache::Session holds the user data. So I need to write the piece that coordinates the cleanup of old sessions between the two. -Fran