Re: Authentication and cookies

Sun, 23 Jan 2011 12:09:35 -0800 

Hi.

This is a suggestion to solve what I understand of your problem, but slightly 
differently.
(And I admit that it is because I do not know if you can do that with a cookie-jar, I have never tried; but what is below, I did try and it works). 

The idea is as follows.

A cookie is useful in the sense that it is an "information store" which you can offload to 
the browser by means of a "Set-Cookie" header /at the moment when you send a response to 
the browser/, and of which you can be (almost) sure that when the browser sends its next 
request to your server, it will re-send this same cookie along with the new request (in a 
"Cookie" header.
So it saves you from creating a local store on the server, and anyway have to manage some 
way for the browser to receive and send back some "session-id" that allows your server to 
retrieve the corresponding local store entry.



But a cookie is less useful at the server level, as a means to save information between 
Apache (and mod_perl) request processing phases.

For that, you have a better choice : the "pnotes".
http://perl.apache.org/docs/2.0/api/Apache2/RequestUtil.html#C_pnotes_


In your first handler (e.g. PerlAccessHandler), you get and decode the cookie sent by the 
browser; you store the user-id, and whatever else you have from the cookie, in a perl hash 
for example, and then store this perl hash as an entry in the $r->pnotes.

$r->pnotes("key" => $hashref);

In later phases of the same request, another handler can retrieve this same hash from the 
$hashref = $r->pnotes("key").
E.g. in the PerlAuthenHandler, instead of decoding the cookie again, you retrieve the 
hash, and check the values stored in the hash.

Same thing in a PerlAuthzHandler.


Then right before you create the response to the user (e.g. a PerlFixupHandler), you 
retrieve this hash again, and you create the cookie to send along with the response, in 
the HTTP response headers.


At the end of the request, the pnotes disappear automatically.


Actually, it is a bit more complicated than that, because Web AAA is quite spaghetti-like 
in terms of logic.  But that, I suppose, you have already found out.




Dan Axtell wrote:

I'm trying to upgrade mod_perl authentication/authorization handlers for 
application menu to be more fine-grained by using cookies.  The basic idea is
- restrict a script alias in httpd.conf with basic authentication calling the 
custon handlers
- validate the user ID/password in the authentication handler, and look up 
role and client access info; stash in cookie.  If a valid cookie is already 
there, authenticat
- in authorization, check for cookie, reset if it's not there, and authorize 
based on role and client information
- in menu app, check for cookie, and configure output depending on user's 
role.



What happens is that even though the browser shows a cookie with the correct 
info, the menu ends up with a "no cookie found" error, and the logs show 
neither the authorization handler nor app are seeing the cookie.  Hitting 
refresh on the menu shows both handlers seeing the cookie and the menu comes 
up correctly.



I've tried using both CGI::Cookie and Apache2::Cookie; I get the same problem 
either way.  Currently the authentication handler sets the cookie as follows:



 my $cookie = Apache2::Cookie->new($r, -name => 'ls_authentication', 
                 value => { user_id => $user, digest => crypt($password, 
$salt), role_id => $ur{role_id}, clients => $client_list });

 if ($cookie) {
       $cookie->bake($r);
 } else {
        warn "Unable to make cookie";
 }

 
I get no warning, and the cookie looks fine in the browser's debug tool, but 
the next handler and app just don't see it.  This is how I try and read it in 
the authorization handler:


        my $jar = Apache2::Cookie::Jar->new($r);
        my $cookie = $jar->cookies('ls_authentication');
        if ($cookie) {
            $have_cookie = 1;
            my %fields = $cookie->value;
            if ($fields{'user_id'}) {
                $user = $fields{'user_id'};
            }
            if ( $fields{'role_id'} ) {
                $user_role = $fields{'role_id'};
            }
            if ( $fields{'clients'} ) {

                @user_clients = split(/,/, $fields{'clients'}); # turn client 
list back into array

            }

            warn "AUTHORIZATION: found cookie, user ID = $user, user role = 
$user_role" if $DEBUG;

        } else {
            warn "AUTHORIZATION: NO COOKIE FOUND" if $DEBUG;
        }



I'm running Perl 5.12.1, Apache 2.2.17 and libapreq2 2.13 built from source.  
Is using 'bake' insufficient to make the cookie visible by the next handler?  
I've tried using both

 $r->err_headers_out->set('Set-Cookie', $cookie);
and
 $r->err_headers_out->addt('Set-Cookie', $cookie);

but I get the same problem.  

Does anyone know of any up to date demos of using cookies in mod_perl2 
authentication handlers?  

























					Reply via email to