I'm having a slight problem using AuthCookie in our app because our app (unfortunately) is a frames-based interface. To summarize the problem and efforts I've made to date, my goal is to be able to display a message on the login page telling them why they are seeing the login page. Options are: 'Login Incorrect', 'Previous Session Timed Out', 'Session Deactivated Due To Login From Another Location', etc...
My first attempt was to try to just set values in the subprocess_env, and since AuthCookie works by removing a user's cookie and then doing redirects to the login page if a user is not validly logged in, I could always just look at $r->prev->subprocess_env('login_error_msg') for the cause. However, since I am using frames, this doesn't work in all cases. If for example a user is currently at a part of the site that has three frames, and then walks to his co-workers office and uses that computer to log in, we have invalidated his old session back at his desk. If he goes back to his own desk and tries to navigate in the app, we want to redirect to a login page with the message 'Session Deactivated Due To Login From Another Location'. However, what happens is that he goes to click on something, javascript gets called that changes the contents of all three frames, so all three frames try to load new content. This means 3 new requests, and 3 passes through AuthCookie. Well the first pass through works exactly like I would expect and $r->prev->subprocess_env('login_error_msg') has the proper error message. The problem is that the other two requests also go through AuthCookie, and since the first one already removed the cookie, the other two just see that the user doesn't have a cookie and also redirect to the login page. So what the user is seeing is really the third redirect to the login page, which no longer has any useful info in $r->prev->subprocess_env. So my next thought was that we need some sort of global "login messages" object that could be shared across children and requests and could hold login failure messages. Since I'm already using Apache::Session, I thought following the cookbook's recipe on how to use A::S for global data would be good. So I set up a session with a known key ("_loginmsgs") but then realized there's no piece of info I can use to uniquely identify a particular user/browser so that I can store a message for him. I can't use the session key since by the time it comes to look up if there are any messages I should be displaying on the login page, there's no longer a session key to reference (the cookie has been removed). I then thought I could just try the IP address but firewalls could make multiple users look to be coming from the same IP. I never really came up with something I thought would work and was clean. So, finally, the question is has anyone solved this same problem, or does anyone have any ideas of what I should try? Thanks, Fran