odd authetication situation
I have a modperl handler that sets a cookie and does a redirect if the
cookie was not present. The redirected page eventually loads the same page
again. In addition, this page is called from a protected portion of the
site that requires Basic Auth.
When the redirect calls the mod_perl routine the second or some
subsequent times, $r-connection-user and $ENV{REMOTE_USER} are both
empty or non-existent yet the page does not appear to fail the
authentication request and executes and returns html.
The failure is repeatable though not consistently so, maybe 70% or more.
I'm scratching my head on this one. Any ideas??
Michael
Re: odd authetication situation
Maybe you can try to add specifically:
$r-connection-user('who_the_user_is') before the cookie access control
returns OK in the module. Note that some of the cookie authentication
modules are based on access-only control so $r-connection-user() can
return a value in late phases only if one assigns it at the first place.
Peter Bi
- Original Message -
From: Michael Robinton [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 28, 2002 1:05 PM
Subject: odd authetication situation
I have a modperl handler that sets a cookie and does a redirect if the
cookie was not present. The redirected page eventually loads the same page
again. In addition, this page is called from a protected portion of the
site that requires Basic Auth.
When the redirect calls the mod_perl routine the second or some
subsequent times, $r-connection-user and $ENV{REMOTE_USER} are both
empty or non-existent yet the page does not appear to fail the
authentication request and executes and returns html.
The failure is repeatable though not consistently so, maybe 70% or more.
I'm scratching my head on this one. Any ideas??
Michael
Re: odd authetication situation
Maybe you can try to add specifically:
$r-connection-user('who_the_user_is') before the cookie access
control returns OK in the module. Note that some of the cookie
authentication modules are based on access-only control so
$r-connection-user() can return a value in late phases only if one
assigns it at the first place.
Peter Bi
hmm... let me see if I understand what you are saying
It is necessary to specify $r-connection-user('current-known-user');
before I send OK so that on the next contact by the browser to the web
server $r-connection-user will have the correct value???
Is this because of keep-alives and using the same child process??
I would think that the client would send the token for each connection.
then what about the Cookie?? It appears that gets lost sometimes,
but not as often as the authentication token. This fuzzy behavior makes
redirects where cookies and tokens are expected very dicey...
Michael
- Original Message -
From: Michael Robinton [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 28, 2002 1:05 PM
Subject: odd authetication situation
I have a modperl handler that sets a cookie and does a redirect if the
cookie was not present. The redirected page eventually loads the same
page
again. In addition, this page is called from a protected portion of
the
site that requires Basic Auth.
When the redirect calls the mod_perl routine the second or some
subsequent times, $r-connection-user and $ENV{REMOTE_USER} are both
empty or non-existent yet the page does not appear to fail the
authentication request and executes and returns html.
The failure is repeatable though not consistently so, maybe 70% or
more.
I'm scratching my head on this one. Any ideas??
Michael
Re: odd authetication situation
Peter wrote:
Maybe you can try to add specifically:
$r-connection-user('who_the_user_is') before the cookie access control
returns OK in the module. Note that some of the cookie authentication
modules are based on access-only control so $r-connection-user() can
return a value in late phases only if one assigns it at the first place.
Point of clarification...
The authentication I'm writing about is BASIC AUTHENTICATION. apache takes
care of all of that. It appears as though the client is not sending it,
but I don't know why ... and if not, how it manages to pass the
authentication portion of the apache request loop.
the example I'm using does the following:
.htaccess
AuthType Basic
AuthName MagicName
AuthUserFile
/home/web/public_html/cgi/private/user.access
require valid-user
scriptA.plx -redirect to scriptB.plx
scriptB.plx -redirect to scriptA.plx CONDITIONALLY
if the CONDITION is met, the redirect is not done
i.e. cookie present + user present
what happens.. scriptA always has ENV{REMOTE_USER} and
$r-connection-user valid
scriptB rarely has them both valid
either script can set the same cookie if it is not present.
The cookie is always present for scriptA and usually but not always
present for scriptB
WHY???
Michael
Re: odd authetication situation
The client only sends basic auth credentials when requested. So if you have an authorization handler that might validate a cookie and return OK before basic auth credentials are requested of the client, then you will need to set $r-user from that handler for it to be accessible later on down the chain. Regards, Tim Tompkins -- Programmer http://www.arttoday.com/ http://www.rebelartist.com/ --
