Re: [htmltmpl] securing an H::T site with username/password w/session mgt1
Brought to you by:
samtregar
From: Ron M. <rma...@in...> - 2003-09-03 21:46:01
|
On Wed, Sep 03, 2003 at 04:09:22PM -0500, Karen J. Cravens wrote: > On Wed, 3 Sep 2003, Ron Mahoney wrote: > > RM>On the other hand if you are coding for a mod_perl enabled server that you have > RM>full control over then I would recommend you take a look at > RM>Apache::AuthCookieDBI ( a subclass of Apache::AuthCookie ). You can either use > RM>it directly or as a model for how to code the authentication and authorization > RM>phases of Apache. Once that's setup and working all you have to do is drop in > RM>.htaccess files in whatever directory you want protected (or put it in the > RM>Directory section in your httpd.conf) and say what groups or users are > RM>authorized to run these scripts. > > I'm in the process of setting up a new (well, replacement) server and was > thinking about playing with Apache::AuthCookieDBI/mod_auth_cookie_mysql, > but if somebody can answer my question it'll save me some experimentation. > > What *I* need is something like Puneet's setup, except that I don't need > sessions, per se, just the ability to log out (which is just a matter of > expiring the cookie, in this case). But what I'm not finding in any of > the documentation is whether it's possible to configure a critter such > that it doesn't *demand* authentication. That is, if the cookie's there, > Apache will authenticate and pass it on in the environment, but if it's > not, it'll still allow access to the file (or in my case, script). > > ObHTML::Template: All the scripts being granted access to will use > HTML::Template, except the wiki, and I'm seriously considering rewriting > TWiki so that *it* uses H::T too. > > -- > Karen J. Cravens si...@ph... > > Yes, I think I get what you're after - ~if~ the user logged in you can get the id from $ENV{REMOTE_USER} and then get their information to do something like say "Hello Tom" on the unprotected page or "Please Login" if they have not passed any credentials (via the cookie or whatever mechanism). Yes you can do this in Apache::AuthCookie with a call to Apache::AuthCookie::recognize_user as a PerlFixupHandler and make sure that the cookie path is set to '/' (PerlSetVar WhatEverPath / in httpd.conf). -- Ron Mahoney Ra Security Systems, Inc. rma...@ra... 908-534-6004 x21 |