odd authetication situation

2002-08-28 Thread Michael Robinton


I have a modperl handler that sets a cookie and does a redirect if the
cookie was not present. The redirected page eventually loads the same page
again. In addition, this page is called from a protected portion of the
site that requires Basic Auth.

When the redirect calls the mod_perl routine the second or some
subsequent times, $r-connection-user and $ENV{REMOTE_USER} are both
empty or non-existent yet the page does not appear to fail the
authentication request and executes and returns html.

The failure is repeatable though not consistently so, maybe 70% or more.

I'm scratching my head on this one. Any ideas??

Michael




Re: odd authetication situation

2002-08-28 Thread Peter Bi

Maybe you can try to add specifically:
$r-connection-user('who_the_user_is') before the cookie access control
returns OK in the module. Note that some of the cookie authentication
modules are based on access-only control so $r-connection-user() can
return a value in late phases only if one assigns it at the first place.


Peter Bi

- Original Message -
From: Michael Robinton [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 28, 2002 1:05 PM
Subject: odd authetication situation



 I have a modperl handler that sets a cookie and does a redirect if the
 cookie was not present. The redirected page eventually loads the same page
 again. In addition, this page is called from a protected portion of the
 site that requires Basic Auth.

 When the redirect calls the mod_perl routine the second or some
 subsequent times, $r-connection-user and $ENV{REMOTE_USER} are both
 empty or non-existent yet the page does not appear to fail the
 authentication request and executes and returns html.

 The failure is repeatable though not consistently so, maybe 70% or more.

 I'm scratching my head on this one. Any ideas??

 Michael






Re: odd authetication situation

2002-08-28 Thread Michael Robinton

 Maybe you can try to add specifically:
 $r-connection-user('who_the_user_is') before the cookie access
 control returns OK in the module. Note that some of the cookie
 authentication modules are based on access-only control so
 $r-connection-user() can return a value in late phases only if one
 assigns it at the first place.


 Peter Bi


hmm... let me see if I understand what you are saying

It is necessary to specify $r-connection-user('current-known-user');
before I send OK so that on the next contact by the browser to the web
server $r-connection-user will have the correct value???

Is this because of keep-alives and using the same child process??
I would think that the client would send the token for each connection.
 then what about the Cookie??  It appears that gets lost sometimes,
but not as often as the authentication token. This fuzzy behavior makes
redirects where cookies and tokens are expected very dicey...

Michael


 - Original Message -
 From: Michael Robinton [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Wednesday, August 28, 2002 1:05 PM
 Subject: odd authetication situation


 
  I have a modperl handler that sets a cookie and does a redirect if the
  cookie was not present. The redirected page eventually loads the same
page
  again. In addition, this page is called from a protected portion of
the
  site that requires Basic Auth.
 
  When the redirect calls the mod_perl routine the second or some
  subsequent times, $r-connection-user and $ENV{REMOTE_USER} are both
  empty or non-existent yet the page does not appear to fail the
  authentication request and executes and returns html.
 
  The failure is repeatable though not consistently so, maybe 70% or
more.
 
  I'm scratching my head on this one. Any ideas??
 
  Michael




Re: odd authetication situation

2002-08-28 Thread Michael Robinton

Peter wrote:

 Maybe you can try to add specifically:
 $r-connection-user('who_the_user_is') before the cookie access control
 returns OK in the module. Note that some of the cookie authentication
 modules are based on access-only control so $r-connection-user() can
 return a value in late phases only if one assigns it at the first place.

Point of clarification...
The authentication I'm writing about is BASIC AUTHENTICATION. apache takes
care of all of that. It appears as though the client is not sending it,
but I don't know why ... and if not, how it manages to pass the
authentication portion of the apache request loop.

the example I'm using does the following:

.htaccess
AuthType Basic
AuthName MagicName
AuthUserFile
/home/web/public_html/cgi/private/user.access
require valid-user


scriptA.plx -redirect to scriptB.plx
scriptB.plx -redirect to scriptA.plx CONDITIONALLY

if the CONDITION is met, the redirect is not done
i.e. cookie present + user present

what happens.. scriptA always has ENV{REMOTE_USER} and
$r-connection-user valid

scriptB rarely has them both valid

either script can set the same cookie if it is not present.
The cookie is always present for scriptA and usually but not always
present for scriptB

WHY???

Michael




Re: odd authetication situation

2002-08-28 Thread Tim Tompkins

The client only sends basic auth credentials when requested.  So if you have
an authorization handler that might validate a cookie and return OK before
basic auth credentials are requested of the client, then you will need to
set $r-user from that handler for it to be accessible later on down the
chain.


Regards,

Tim Tompkins
--
Programmer
http://www.arttoday.com/
http://www.rebelartist.com/
--