Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re^2: site access: Apache Basic auth vs. CGI::Session and cookies

by j3 (Friar)
on Apr 10, 2007 at 07:12 UTC ( #609083=note: print w/ replies, xml ) Need Help??


in reply to Re: site access: Apache Basic auth vs. CGI::Session and cookies
in thread site access: Apache Basic auth vs. CGI::Session and cookies

So, using HTTP authorization, getting the user's browser to stop sending auth headers constitutes how you get that user "logged out"?

If that's the case, I think what you're suggesting is having my webapp set a cookie to logout (maybe to expire the cookie?), such that the cookie somehow tells the user's web browser to stop sending authorization headers -- is that correct?

and the next roundtrip the browser issues an authorization header then decline the validity of that header.

But it would seem to me that the browser is carrying on a rather personal discussion with the web server, without my webapp even knowing about it. How do I "decline the validity" of that header? Does my webapp code even see it?

Hm... It would seem somewhat simpler to not even bother with HTTP authorization and just use cookies and my own webapp code to decide whether users are logged in or out. I think that's what you're getting at in your last sentence.


Comment on Re^2: site access: Apache Basic auth vs. CGI::Session and cookies
Re^3: site access: Apache Basic auth vs. CGI::Session and cookies
by varian (Chaplain) on Apr 10, 2007 at 14:05 UTC
    It would seem somewhat simpler to not even bother with HTTP authorization and just use cookies and my own webapp code to decide whether users are logged in or out
    No, don't go there, it does not make sense to have each and every web application manage session or authorization cookies.

    The common solution is to setup an 1) Authentication and an 2) Authorization Handler, as Perl modules that are called by the (Apache) webserver upon each url request.

    These modules have been written already, an example that you may want to have a look at is AuthCookieDBI.pm

    The only thing left with your web application is that you might want to implement a logout button that simply makes a call to the Perl module to have the cookie invalidated. And you will want to create a login page somewhere. That's all.

      Thanks for the tip about the common solution varian. I'll keep reading. I still don't see the connection between using Apache and using cookies. I thought cookies were only for setting simple values that I'd be explicitly looking at later in my cgi scripts... but it sounds like there's a connection with the Apache/HTTP auth stuff that I'm unaware of so far.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://609083]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (5)
As of 2014-09-18 03:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (105 votes), past polls