Re: AuthCookie access denied messages
Agreed, however I'd like to at least say "The username and/or password you entered was not recognized". > From: Ged Haywood <[EMAIL PROTECTED]> > Date: Tue, 21 Aug 2001 00:36:33 +0100 (BST) > To: David Young <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: AuthCookie access denied messages > > It's generally considered a security hole to report things like > "invalid user id" to a user who fails to get a login, because when he > finally gets "invalid password" he knows he's got a valid user id... > > 73, > Ged.
Re: AuthCookie access denied messages
Hi there, On Mon, 20 Aug 2001, David Young wrote: > Before I tackle this myself, has anyone added functionality to AuthCookie so > that it will report *why* a user is being asked to login? Currently, if a > user enters in a wrong username or password, they just get redirected back > to the login form with no explanation. It's generally considered a security hole to report things like "invalid user id" to a user who fails to get a login, because when he finally gets "invalid password" he knows he's got a valid user id... 73, Ged.
Re: AuthCookie access denied messages
>you can set these in yourself by overwriting >the AuthCookie Response method > >you should catch these in your >own subs and send back messages > >for instance >in my Auth.pm authen_ses_key sub [ snip ] In addition to that, what I found confusing was actually getting authen_ses_key to be called in the first place, after a failed login attempt. The stock authen_cred returns data that will be loaded into a cookie only if authentication is successful. To get authen_ses_key to be called after an unsuccessful attempt, your authen_cred needs to do this: if ( check_creds() ) { # make a ticket, start a session, etc return $valid_ticket_data; } else { return "oops"; # make sure we never accept this as a valid cookie! } Now authen_ses_key gets called and AuthCookie will set AuthCookieReason to bad_cookie if you return undef. Also, you now have a chance to set other environment variables. ...Steve -- Steve van der Burg Information Services London Health Sciences Centre (519) 685-8300 ext 35559 [EMAIL PROTECTED]
Re: AuthCookie access denied messages
David Young wrote: > > Before I tackle this myself, has anyone added functionality to AuthCookie so > that it will report *why* a user is being asked to login? Currently, if a > user enters in a wrong username or password, they just get redirected back > to the login form with no explanation. > > Thanks, > --David you can set these in yourself by overwriting the AuthCookie Response method you should catch these in your own subs and send back messages for instance in my Auth.pm authen_ses_key sub if ($checks ne 1 ||$id eq '') { $r->subprocess_env('AuthCookieReason2', 'does not check or you have no id'); return ''; } else { return $creds[0]; } then in login.cgi my $error=$r->prev->subprocess_env('AuthCookieReason2') || $r->prev->subprocess_env('AuthCookieReason'); i then just put this erro in as a template param which handles my error or else give default 'no cookie one' hope that helps also you might wanna try setting PerlSetVar AuthCookieDebug 3 for longer messages in logs till you get then hang of it
Re: AuthCookie access denied messages
David Young wrote on Mon, Aug 20 2001 (12:36:19 -0400): > Before I tackle this myself, has anyone added functionality to AuthCookie so > that it will report *why* a user is being asked to login? Currently, if a perldoc Apache::AuthCookie /AuthCookieReason cu, -- Toni Andjelkovic <[EMAIL PROTECTED]>
AuthCookie access denied messages
Before I tackle this myself, has anyone added functionality to AuthCookie so that it will report *why* a user is being asked to login? Currently, if a user enters in a wrong username or password, they just get redirected back to the login form with no explanation. Thanks, --David