[users@httpd] htaccess using AuthCookieDBI not protecting the directory index

Mon, 14 Sep 2009 02:08:10 -0700 

Hi, I posted the follow to the mod_perl list:
I'm trying to protect a directory using Apache2::AuthCookieDBI with the following .htaccess (I have to use htaccess) 

--------------------
PerlModule Apache2::AuthCookieDBI
PerlSetVar berlinPath /berlin/
PerlSetVar berlinLoginScript /login.pl

PerlSetVar berlinSessionTimeout +2h

PerlSetVar berlinDBI_DSN "DBI:mysql:database=berlin"
PerlSetVar berlinDBI_SecretKey "secret"

# DBI access stuff...
PerlSetVar berlinDBI_User "user"
... etc ...

# Protected by AuthCookieDBI.
 AuthType Apache2::AuthCookieDBI
 AuthName berlin
 PerlAuthenHandler Apache2::AuthCookieDBI->authenticate
 PerlAuthzHandler Apache2::AuthCookieDBI->authorize
 require valid-user

# Login location.
<Files LOGIN>
 AuthType Apache2::AuthCookieDBI
 AuthName berlin
 SetHandler perl-script
 PerlHandler Apache2::AuthCookieDBI->login
</Files>
--------------------


When I go to my protected URL www.myserver.com/berlin/ I am presented 
with the login form which I've added some status variables to, the 
status is that there is no cookie present, which is to be expected since 
nothing has been set yet.  Once I send authentication variables I am 
still not logged in and I'm given a new URL 
www.myserver.com/berlin/LOGIN which is still expected behaviour, but the 
 status variable is still "no cookie" which means no cookie is being 
set.  This makes me suspect that I am just dumb and doing something 
super-basic wrong, but I can't figure it out.



Vegard Vesterheim on the mod_perl list suggested the cause was "related 
to Apache issuing subrequests for directory requests. Check out this 
thread: http://marc.info/?t=119996312400002&r=1&w=2 "



If this is true then I have trouble believing that this issue hasn't 
been addressed at the module level (AuthCookieDBI) since protecting 
various directories seems pretty standard.



Anyway, my solution for now is to just protect the *.pl files <Files ~ 
"\.(pl)$"> and redirect the index to index.pl which is not elegant but 
works.  Is there a better way?


Thank-you!

Tosh


--
McIntosh Cooey - Twelve Hundred Group LLC - http://www.1200group.com/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org























					Reply via email to