Re: [cgiapp] authentication -- is this the best way to do it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] authentication -- is this the best way to do it?

Subject: Re: [cgiapp] authentication -- is this the best way to do it?
Date: Fri, 7 Jan 2005 10:22:40 -0500
From: William McKee <suppressed>

On Fri, Jan 07, 2005 at 09:55:03AM -0500, Jaldhar H. Vyas wrote:
> Thanks to you and William for your responses.  Looking back at my initial
> message, I think I was unclear as to exactly what I'm asking.  I want to
> know if there are are better ways to do the "authenticate in the script
> itself" method.  Are there any flaws in the code I presented?  Any use
> cases I've missed?  Etc.

I see. Looking more closely at your code, I'm not seeing how you are
picking up the password when you do the comparison with the value passed
in from the form. Usu. I have some functions, which get the password
from a database for the username. Is that code in cgiapp_init?

Your logic looks fine to me, but I'd suggest you use C::A's API for
storing data instead of breaking encapsulation and directly accessing
the object's hash. Instead of $self->{newrunmode} use
$self->param('newrunmode').

I'm not sure I understand why you need to delete the newrunmode key as
the value should not be stored between invocations (unless you do
redirects back to cgiapp_prerun). I'm curious if that was that added to
fix a bug or as a precaution?

I presume that the value of newrunmode is passed into your login runmode
in the form of a hidden field which redirects to the proper runmode on a
valid login.

> As a matter of fact, I usually use .htaccess and other web server features
> for authentication and split run modes into different modules per role.
> But the mandate for this project is to keep everything as centralized and
> portable as possible.

It sounds like you've assessed the pros and cons, but I can't see where
rolling your own authentication logic is better than using the built-in
support unless you need to port to a platform that does not have
built-in authentication. So far, I've not gone back to doing
authentication in my C::A code since moving to using Apache's
authentication support.

Cheers,
William

-- 
Knowmad Services Inc.
http://www.knowmad.com

---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

References:
- [cgiapp] authentication -- is this the best way to do it?
  - From: Jaldhar H. Vyas
- Re: [cgiapp] authentication -- is this the best way to do it?
  - From: William McKee
- Re: [cgiapp] authentication -- is this the best way to do it?
  - From: Michael Peters
- Re: [cgiapp] authentication -- is this the best way to do it?
  - From: Jaldhar H. Vyas

Prev by Date: Re: [cgiapp] authentication -- is this the best way to do it?
Next by Date: Re: [cgiapp] Redirect question
Previous by thread: Re: [cgiapp] authentication -- is this the best way to do it?
Next by thread: [cgiapp] More dynamic run_mode change questions
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.