RE: [cgiapp] cgi::app, cgi::session & https

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cgiapp] cgi::app, cgi::session & https

Subject: RE: [cgiapp] cgi::app, cgi::session & https
Date: Wed, 19 Nov 2003 19:38:34 -0600
From: "Bill McCormick" <suppressed>

Cees,


> It might be worth your while to have a look at
> CGI::Session::Auth.  This is a
> fairly young module that is still in early development, but I
> started using it
> this week with CGI::Session and it looks very good to me.  It will greatly
> simplify the code you provided in your previous message.   I will
> give you a
> quick bit of code that I am working on to get you going.
>
>
> In my base module I have the following to handle authentication
> and session
> management:
>
> use CGI::Session ();
> use CGI::Session::Auth ();
>
> # Get the current session object
> #  (object will be created once per request)
> sub session {
>   my $self = shift;
>
>   if (!$self->{_session}) {
>     # create CGI::Session object for session handling
>     $self->{_session} = CGI::Session->new('driver:PostgreSQL',
> $self->query,
>                                           { Handle => $self->db });
>   }
>   return $self->{_session};
> }
>
> # Get the current auth object
> #  (object will be created once per request)
> sub auth {
>   my $self = shift;
>
>   if (!$self->{_auth}) {
>     # create CGI::Session::Auth object for authentication
>     $self->{_auth} = new CGI::Session::Auth({ CGI     => $self->query,
>                                               Session => $self->session
>     });
>   }
>   return $self->{_auth};
> }
>
> sub cgiapp_prerun {
>   my $self  = shift;
>   my $query = $self->query();
>
>   # Check to see if the user is trying to login
>   $self->auth->authenticate();
>
>   # send out the session cookie and test to make
>   # sure the user actually accepts cookies
>   my $session = $self->session;
>   my $session_cookie_name = $session->name;
>   if ($query->param('cookie_test') &&
> !$query->cookie($session_cookie_name)) {
>     # We tried to send a cookie, but it was rejected by the user.
>     $self->prerun_mode('no_cookies');
>   } elsif (!$query->cookie($session_cookie_name)) {
>     # There is no session cookie yet
>     # So send out a cookie header and reload
>     # the current page.  To make sure they accept cookies
>     # send along a 'cookie_test' url parameter so that we know
>     # that the cookie was sent and not accepted if it doesn't
>     # appear on the next incoming request
>     $self->header_add(-cookie => $self->auth->sessionCookie);
>     $query->param(-name => 'cookie_test', -value => '1');
>     my $url = $query->self_url;
>     $self->redirect($url);
>     $self->prerun_mode('redirect'); # dummy runmode for redirection
>   } elsif ($query->cookie($session_cookie_name) ne $session->id) {
>     # There is a session cookie, but it is invalid so send a new one
>     $self->add_template_params(session_timed_out => 1);
>     $self->header_add(-cookie => $self->auth->sessionCookie);
>   }
> }
>
>
> # Here is a sample protected runmode
> sub show_data {
>   my $self = shift;
>
>   # check if visitor has already logged in
>   if (not $self->auth->loggedIn) {
>     return $self->redirect('/login.cgi');
>     # Or return $self->login_page(); if you have a global runmode
> for your login
>   }
>
> ...
>
> }
>
>
> Now all you have to do is provide a login runmode that has a form with a
> username and password field.  All the hard and messy stuff is handled by
> CGI::Session and CGI::Session::Auth.  All you need to do is some cookie
> management (or URL management if you want to deal with users that
> don't accept
> cookies), and you need to check in your runmode whether the user was
> successfully logged in.
>
> This is not complete code, but it should get you a long way
> there...  Also, I
> should reiterate that CGI::Session::Auth is still in the alpha
> stage, but so far
> I am very happy with how it works.
>

Right, so far this looks ok and I think I'm about half the way there. I've
got a few issues right off the bat though.

First, I'm not using any db right now, just the default file driver. I've
got to the point where my login page is coming up and a session file is
being generated. I'm not sure if the Auth module is supposed to be handling
the login transparently or if I need to manage something with the Session
object itself. After I login and check the user/passwd is ok, I'm thinking I
need to do something here but your example didn't provide that.

Take a look at my attached code if you can. I'll look though the Auth module
source to see what I can figure out what I'm missing.


Thanks,

Bill



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.538 / Virus Database: 333 - Release Date: 11/10/2003

---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Follow-Ups:
- RE: [cgiapp] cgi::app, cgi::session & https
  - From: Bill McCormick

References:
- RE: [cgiapp] cgi::app, cgi::session & https
  - From: Cees Hek

Prev by Date: RE: [cgiapp] cgi::app, cgi::session & https
Next by Date: RE: [cgiapp] cgi::app, cgi::session & https
Previous by thread: RE: [cgiapp] cgi::app, cgi::session & https
Next by thread: RE: [cgiapp] cgi::app, cgi::session & https
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.