OP, see https://svn.apache.org/repos/infra/websites/cms/webgui/lib/ASF/CMS/Cookie.pm for typical APR::Request::Cookie usage with FreezeThaw as serializer. Unless you want to use arrays this is one of the ways to deal with hashrefs as cookie values.
In your calling code you'd do something like this my $apreq = APR::Request::Apache2->handle($r); my $jar = $apreq->jar; $jar->cookie_class($cookie_package); my $cookie = $jar->get('ls_authentication'); my $hashref = $cookie->thaw if $cookie; ... ----- Original Message ---- > From: André Warnier <a...@ice-sa.com> > To: mod_perl list <modperl@perl.apache.org> > Sent: Sun, January 23, 2011 3:09:01 PM > Subject: Re: Authentication and cookies > > Hi. > > This is a suggestion to solve what I understand of your problem, but > slightly >differently. > (And I admit that it is because I do not know if you can do that with a >cookie-jar, I have never tried; but what is below, I did try and it works). > > The idea is as follows. > A cookie is useful in the sense that it is an "information store" which you >can offload to the browser by means of a "Set-Cookie" header /at the moment >when you send a response to the browser/, and of which you can be (almost) >sure >that when the browser sends its next request to your server, it will re-send >this same cookie along with the new request (in a "Cookie" header. > So it saves you from creating a local store on the server, and anyway have > to >manage some way for the browser to receive and send back some "session-id" >that >allows your server to retrieve the corresponding local store entry. > > But a cookie is less useful at the server level, as a means to save >information between Apache (and mod_perl) request processing phases. > For that, you have a better choice : the "pnotes". > http://perl.apache.org/docs/2.0/api/Apache2/RequestUtil.html#C_pnotes_ > > In your first handler (e.g. PerlAccessHandler), you get and decode the > cookie >sent by the browser; you store the user-id, and whatever else you have from >the >cookie, in a perl hash for example, and then store this perl hash as an entry >in >the $r->pnotes. > $r->pnotes("key" => $hashref); > In later phases of the same request, another handler can retrieve this same >hash from the $hashref = $r->pnotes("key"). > E.g. in the PerlAuthenHandler, instead of decoding the cookie again, you >retrieve the hash, and check the values stored in the hash. > Same thing in a PerlAuthzHandler. > > Then right before you create the response to the user (e.g. a >PerlFixupHandler), you retrieve this hash again, and you create the cookie to >send along with the response, in the HTTP response headers. > > At the end of the request, the pnotes disappear automatically. > > Actually, it is a bit more complicated than that, because Web AAA is quite >spaghetti-like in terms of logic. But that, I suppose, you have already >found >out. > > > > Dan Axtell wrote: > > I'm trying to upgrade mod_perl authentication/authorization handlers for >application menu to be more fine-grained by using cookies. The basic idea is > > - restrict a script alias in httpd.conf with basic authentication calling >the custon handlers > > - validate the user ID/password in the authentication handler, and look up >role and client access info; stash in cookie. If a valid cookie is already >there, authenticat > > - in authorization, check for cookie, reset if it's not there, and > > authorize >based on role and client information > > - in menu app, check for cookie, and configure output depending on user's >role. > > > > What happens is that even though the browser shows a cookie with the > > correct >info, the menu ends up with a "no cookie found" error, and the logs show >neither the authorization handler nor app are seeing the cookie. Hitting >refresh on the menu shows both handlers seeing the cookie and the menu comes >up >correctly. > > > > I've tried using both CGI::Cookie and Apache2::Cookie; I get the same >problem either way. Currently the authentication handler sets the cookie as >follows: > > > > my $cookie = Apache2::Cookie->new($r, -name => 'ls_authentication', > > > value => { user_id => $user, digest => crypt($password, $salt), >role_id => $ur{role_id}, clients => $client_list }); > > if ($cookie) { > > $cookie->bake($r); > > } else { > > warn "Unable to make cookie"; > > } > > I get no warning, and the cookie looks fine in the browser's debug tool, >but the next handler and app just don't see it. This is how I try and read >it >in the authorization handler: > > > > my $jar = Apache2::Cookie::Jar->new($r); > > my $cookie = $jar->cookies('ls_authentication'); > > if ($cookie) { > > $have_cookie = 1; > > my %fields = $cookie->value; > > if ($fields{'user_id'}) { > > $user = $fields{'user_id'}; > > } > > if ( $fields{'role_id'} ) { > > $user_role = $fields{'role_id'}; > > } > > if ( $fields{'clients'} ) { > > @user_clients = split(/,/, $fields{'clients'}); # turn >client list back into array > > } > > warn "AUTHORIZATION: found cookie, user ID = $user, user role > > = >$user_role" if $DEBUG; > > } else { > > warn "AUTHORIZATION: NO COOKIE FOUND" if $DEBUG; > > } > > > > > > I'm running Perl 5.12.1, Apache 2.2.17 and libapreq2 2.13 built from >source. Is using 'bake' insufficient to make the cookie visible by the next >handler? I've tried using both > > $r->err_headers_out->set('Set-Cookie', $cookie); > > and > > $r->err_headers_out->addt('Set-Cookie', $cookie); > > but I get the same problem. > > Does anyone know of any up to date demos of using cookies in mod_perl2 >authentication handlers? > > >