Re: [cgiapp] CAP::Authentication & cookies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] CAP::Authentication & cookies

Subject: Re: [cgiapp] CAP::Authentication & cookies
Date: Tue, 28 Mar 2006 10:44:02 +0100
From: RA Jones <suppressed>

Ron Savage wrote:

On Mon, 27 Mar 2006 23:47:17 +0100, RA Jones wrote:
I just re-read the CAP::Authentication docs, under 'Choosing a Store', and I
think at least one of us is confused :-). Here's how I see it:

A glimmer of hope then!

o User submits credentials
o Server logs user in, puts flag in MySQL-based session, sends session key to
web client as hidden form field (my preference) or as fiddled url, does not use
cookie

How to do that? I did not consciously set cookie but it's always there
under CGISESSID. CAP::Session is loaded and my setup is as follows:

$obj->session_config(
  CGI_SESSION_OPTIONS => [ "driver:MySQL", $cgi, { Handle => $dbh } ],
);

$obj->authen->config(
  STORE => 'Session', # plus a lot of other params
);

Right I see now - I have to explicitly set SEND_COOKIE => 0 as a
session_config param, as the default is 'on'. So I will have to handle
session id traffic myself. Do you have any tips on how to do that most
effectively - obviously it has to form part of the url for link-based
navigation and hidden fields for forms. Perhaps CAP::LinkIntegrity and
CAP::FormState can be used here?

other site's content. The problem comes with Internet Explorer

Right, but I don't think this complexity affects the fundamental process.
Ahhh, IE.

  Yes!  ^^ :-(

I know I can mitigate against this by instructing all users to set
my site as a trusted zone, or to permit 3rd party cookies, or even
to use a 'proper' browser in the first place, but was hoping for a
simpler solution where I can have my cake and eat it ;-)


I would not want to be in a position of getting users to do that, either.

No, and it is probably going to cause irritation if the user has to use
a different
machine each time they use the app. A better solution is required:

But the question remains: Why use cookies at all?

Nearly there...
--
Richard Jones
Leeds, UK
mailto:suppressed



---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
             http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Follow-Ups:
- Re: [cgiapp] CAP::Authentication & cookies
  - From: Michael Graham
- Re: [cgiapp] CAP::Authentication & cookies
  - From: Ron Savage

References:
- Re: [cgiapp] CAP::Authentication & cookies
  - From: Ron Savage

Prev by Date: [cgiapp] CGI::Uploader bug? (was: [cgiapp] VaildateRM with CGI::Uploader)
Next by Date: Re: [cgiapp] Design question - structure and authen/authz
Previous by thread: Re: [cgiapp] CAP::Authentication & cookies
Next by thread: Re: [cgiapp] CAP::Authentication & cookies
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.