Hi,
I've read through a lot of mailing list archives and the documentation for
Apache2::AuthCookie and found that tying Apache2::AuthCookie with
CGI::Session was exactly what I was looking for.
I'm running mp2/apache2...I've got things working, but I'd like to see if
there's a better way.
In my AuthCookie sub class, I check my user credentials in authen_cred(). If
I get a successful login, then I create a session with CGI::Session and
return the generated session key.
sub authen_cred ($$\@) {
my $self = shift;
my $r = shift;
my($username,$password) = @_;
# Check user and create session if valid
my $session = authenticate_user($username, $password);
return $session;
}
sub authenticate_user {
my($username,$password) = @_;
# Check username/password in database
# other code left out for clarity
$s = CGI::Session->load() or die CGI::Session->errstr;
# check that session was created here,
# redirect to login if expired, $s->new if empty
# if ok, return session id
return $s->id();
}
In the various examples I've seen of AuthCookie (without
Apache/CGI::Session), the session key is a ticket so you can tell if it's
been tampered with or expired. Since I'm using CGI::Session to generate the
key, I'm simply checking that the session key is valid in authen_ses_key()
using the CGI::Session load($session_id) function:
my $s = CGI::Session->load($session) or die CGI::Session->errstr;
Which leads me to my second question - if I find that key is valid (in
authen_ses_key), then I use pnotes to store a reference to my session, so I
can access it later in a response handler - believe I saw mention of that
and it seems to work, but verifying that's the best way.
Thanks all...
--
jb
_________________________________________________________________
With tax season right around the corner, make sure to follow these few
simple tips.
http://articles.moneycentral.msn.com/Taxes/PreparationTips/PreparationTips.aspx?icid=HMFebtagline
