in reply to
Re^2: Persistent login session with restricted access
in thread Persistent login session with restricted access
- The reason I have a runmode for validation is because I want the user to be able to login or logout from any page, similar to the perlmonks site. So the "login" template component is part of every page rendered. After validation, the previously requested page is served up automatically without the user requesting it again. My default run mode is the only other one required at at the moment because it is the only one needed to serve up simple pages. Other run modes will be added as more complex functionaly is added to the site.
- As stated above, if a user requested a page that required authentication, they would get a notification that they must be logged in to view that page. After logging in, the previously requested page automatically displays without having to request it again.
- My cgiapp_prerun() only checks to see if the person is logged out and then resets the session and displays the home page. I didn't see the need to check if a person is logged in, because the site is based on levels of authorization (e.g., anonymous, members, executive, administrators). For example, users not logged in can access the anonymous level pages. My cgi page building module checks the authorization level of the user against that of the page to determine whether the page should be served. I looked into redirecting but didn't see how to do this in a way that made sense with how my site is structured. I suspect that I'm missing something here but I couldn't see how it would work for me. I use a CGI query parameter that is placed in the urls of dynamically generated navbars to indicate to my site what resourse is being requested. Since these are all, thus far, simple content without forms or other functionality, they are served by my default run mode. I wanted to keep it simple and it works so far. Maybe I'll see your point (and have to refactor the code) when I begin to add more functionality.
I use a separate .htaccess file to prohibit people from guessing the layout of my content and typing in those guesses in the url, thus bypassing my index.cgi script. This was a security threat that I had to address and I couldn't think of any other way to do it. I'm not using HTTP Authentication.
I'm still looking into redirecting, but I don't fully understand how to it properly in a way that makes sense here. Any advise would be appreciated.
Thanks for your help,