Re: Deleting a cookie
El Mar 27 Nov 2001 10:21, Jon Robison escribió:
> I have created a login system using the wonderful Ticket system from the
> Eagle book. I have modified TicketAccess so that after authentication,
> it reviews the arguments in the query string and does push_handler, the
> handler being chosen based on the args.
>
> My only problem is that I want to provide the users with a logout button
> which will delete the cookie from thier browser, yet I cannot find how!.
> I have reviewed every module on my system with 'Cookie' in the name
> (Apache::Cookie, CGI::Cookie, etc.) and nowhere does it tell how to do
> this. There is a small mention of changing the expiration to < 0, but
> apparently I am doing it wrong (possible confusing point is the use of
> an 'expires' value in the cookie itself, seperate, I think, from the
> 'expires' attribute on the cookie?)
>
> I know it is a lot to ask, but I am relatively new to this part of
> mod_perl (pushing handlers, etc.), so if anyone can look at this and
> replace my BLOCKED comments with a couple of helpfull lines, I would
> greatly appreciate it!
>
> Thanks in advance -
>
> Jonathon Robison
>
>
> Below is my modified TicketAccess, as well as the Logout module I am
> re-directing to for logout action:
> =
> package FES::Apache::TicketAccess;
>
> use strict;
> use Apache::Constants qw(:common);
> use FES::Apache::TicketTool ();
>
> sub handler {
> my $r = shift;
> my %input = $r->args;
> # for checking input items
> my $ticketTool = FES::Apache::TicketTool->new($r);
> my($result, $msg) = $ticketTool->verify_ticket($r);
> unless ($result) {
> $r->log_reason($msg, $r->filename);
> my $cookie = $ticketTool->make_return_address($r);
> $r->err_headers_out->add('Set-Cookie' => $cookie);
> return FORBIDDEN;
> }
> ## Here is where we need to insert a push_handler insert. I won't need
> ## the requested uri from the $r, since the $r goes along for the ride
> in## push_handler
>
> my $action = defined $input{'act'} ? $input{'act'} : 'view';
>
> print STDERR "action is defined as $action\n"; ## DEBUGGING
>
> if ($action eq 'logout') {
> $r->push_handlers('PerlHandler' => 'FES::Control::Logout');
> return OK;
> } elsif ($action eq 'view') {
> $r->push_handlers('PerlHandler' => 'FES::Control::View');
> return OK;
> } else {
> $r->push_handlers('PerlHandler' => 'FES::Control::View');
> return OK;
> }
>## ARE THOSE THE CORRECT THINGS TO 'RETURN' FOR THESE CASES?
>
> }
>
> 1;
> ==
>
> And the Logout.pm:
>
> =
> package FES::Control::Logout;
>
> use strict;
> use Apache;
> use Apache::Constants qw(:common);
> use FES::Common::Common qw( header footer);
> use CGI qw/:standard/;
> use CGI::Cookie;
>
> sub handler {
> my $r = shift;
> my $q = new CGI;
> my $ticket = _get_ticket('r' => $r);
>
> ## HERE IS WHERE I NEED TO 1.) DELETE USER'S TICKET COOKIE AND
> ## 2.) REDIRECT THEM TO "/FES" (w/o bringing old
> $r),(WHERE THEY SHOULD GET
> ## A NEW LOGIN SCREEN BECAUSE COOKIE IS
> GONE.)
>
> }
>
> sub _get_ticket {
> my $args = {
> 'r' => undef,
> @_
> };
> my $r = $args->{'r'};
> my %cookies = CGI::Cookie->parse($r->header_in('Cookie'));
> # TESTING
> my %ticket = $cookies{'Ticket'}->value; # TESTING
> return \%ticket;
> }
>
> 1;
> =
Set it again with an expiration time of 'now', i actually use it with CGI.pm
You can send it with a custom invalid value, like 'invalidated', and take
apropriate actions.
Hans Poo
Re: Deleting a cookie
Jon Robison wrote: > I have created a login system using the wonderful Ticket system from the > Eagle book. I have modified TicketAccess so that after authentication, > it reviews the arguments in the query string and does push_handler, the > handler being chosen based on the args. > > My only problem is that I want to provide the users with a logout button > which will delete the cookie from thier browser, yet I cannot find how!. Jon, I had the same problem and could not succesfully delete the cookie from all browsers (IE, Netscape, Konqueror, Lynx, Opera etc.). I eventually solved it by keeping the existing (session) cookie which was assigned when the user first logged in, but marking the user as logged out on the server side. i.e. associate a user cookie with session data stored in a database, and instead of deleting the cookie on the client side, just set something on the server side session information that marks the user as having logged out. If the user then logs in again, just reuse the same cookie and mark the user as having logged in. This way you only have to assign an authentication cookie once per browser session. This may be tough to drop into TicketTool because IIRC it stores the authentication info in the cookie itself, rather than a server side session it associates with a cookie. Not very helpful, but it's another approach. I'd like to hear if you get it working across various browsers by expiring the cookie - for future ref. ~mark
Re: Deleting a cookie
Expiring the cookie works well for me. Here's what I have:
sub handler {
[ ... ]
if ($r->uri =~ /logout/) {
if (my $cookie = destroy_cookie($r)) {
return logout_screen($r);
} else {
return 500;
}
}
[ ... ]
}
sub destroy_cookie {
my $r = shift;
# you may or may not be using this
my $auth_domain = $r->dir_config('Auth_Domain');
my $cookie = Apache::Cookie->new(
$r,
expires => "-24h",
domain => $auth_domain,
name=> 'auth', # whatever you've called it
path=> '/',
value => ''
);
$cookie->bake;
return $cookie;
}
sub logout_screen {
[ ... ]
}
1;
~~~
Nick Tonkin
On Tue, 27 Nov 2001, Jon Robison wrote:
> I have created a login system using the wonderful Ticket system from the
> Eagle book. I have modified TicketAccess so that after authentication,
> it reviews the arguments in the query string and does push_handler, the
> handler being chosen based on the args.
>
> My only problem is that I want to provide the users with a logout button
> which will delete the cookie from thier browser, yet I cannot find how!.
> I have reviewed every module on my system with 'Cookie' in the name
> (Apache::Cookie, CGI::Cookie, etc.) and nowhere does it tell how to do
> this. There is a small mention of changing the expiration to < 0, but
> apparently I am doing it wrong (possible confusing point is the use of
> an 'expires' value in the cookie itself, seperate, I think, from the
> 'expires' attribute on the cookie?)
>
> I know it is a lot to ask, but I am relatively new to this part of
> mod_perl (pushing handlers, etc.), so if anyone can look at this and
> replace my BLOCKED comments with a couple of helpfull lines, I would
> greatly appreciate it!
>
> Thanks in advance -
>
> Jonathon Robison
>
>
> Below is my modified TicketAccess, as well as the Logout module I am
> re-directing to for logout action:
> =
> package FES::Apache::TicketAccess;
>
> use strict;
> use Apache::Constants qw(:common);
> use FES::Apache::TicketTool ();
>
> sub handler {
> my $r = shift;
> my %input = $r->args;
> # for checking input items
> my $ticketTool = FES::Apache::TicketTool->new($r);
> my($result, $msg) = $ticketTool->verify_ticket($r);
> unless ($result) {
> $r->log_reason($msg, $r->filename);
> my $cookie = $ticketTool->make_return_address($r);
> $r->err_headers_out->add('Set-Cookie' => $cookie);
> return FORBIDDEN;
> }
> ## Here is where we need to insert a push_handler insert. I won't need
> ## the requested uri from the $r, since the $r goes along for the ride
> in## push_handler
>
> my $action = defined $input{'act'} ? $input{'act'} : 'view';
>
> print STDERR "action is defined as $action\n"; ## DEBUGGING
>
> if ($action eq 'logout') {
> $r->push_handlers('PerlHandler' => 'FES::Control::Logout');
> return OK;
> } elsif ($action eq 'view') {
> $r->push_handlers('PerlHandler' => 'FES::Control::View');
> return OK;
> } else {
> $r->push_handlers('PerlHandler' => 'FES::Control::View');
> return OK;
> }
>## ARE THOSE THE CORRECT THINGS TO 'RETURN' FOR THESE CASES?
>
> }
>
> 1;
> ==
>
> And the Logout.pm:
>
> =
> package FES::Control::Logout;
>
> use strict;
> use Apache;
> use Apache::Constants qw(:common);
> use FES::Common::Common qw( header footer);
> use CGI qw/:standard/;
> use CGI::Cookie;
>
> sub handler {
> my $r = shift;
> my $q = new CGI;
> my $ticket = _get_ticket('r' => $r);
>
> ## HERE IS WHERE I NEED TO 1.) DELETE USER'S TICKET COOKIE AND
> ## 2.) REDIRECT THEM TO "/FES" (w/o bringing old
> $r),(WHERE THEY SHOULD GET
> ## A NEW LOGIN SCREEN BECAUSE COOKIE IS
> GONE.)
>
> }
>
> sub _get_ticket {
> my $args = {
> 'r' => undef,
> @_
> };
> my $r = $args->{'r'};
> my %cookies = CGI::Cookie->parse($r->header_in('Cookie'));
> # TESTING
> my %ticket = $cookies{'Ticket'}->value; # TESTING
> return \%ticket;
> }
>
> 1;
> =
>
Re: Deleting a cookie
Mohit Agarwal wrote: > > Never tried the negative value for expiration time, but setting it to > a very small value, say 1s, works. I'm not sure, but setting the > cookie value to null should also have the same effect. I believe setting the expiry date less than the current time should work. Mithun
Re: Deleting a cookie
On Tue, 27 Nov 2001, Jon Robison wrote: > My only problem is that I want to provide the users with a logout > button which will delete the cookie from thier browser, yet I cannot > find how!. I have reviewed every module on my system with 'Cookie' > in the name (Apache::Cookie, CGI::Cookie, etc.) and nowhere does it > tell how to do this. There is a small mention of changing the > expiration to < 0, but apparently I am doing it wrong (possible > confusing point is the use of an 'expires' value in the cookie > itself, seperate, I think, from the 'expires' attribute on the > cookie?) Never tried the negative value for expiration time, but setting it to a very small value, say 1s, works. I'm not sure, but setting the cookie value to null should also have the same effect.
