You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Brian Clarkson <br...@lnstar.com> on 2009/07/29 21:32:19 UTC

problem with Apache2::AuthCookie

I started having an odd problem with a simple subclass of
Apache2::AuthCookie after a mod_perl upgrade.  

When authorization fails, apache apparently returns a forbidden page to
the user (not just a forbidden status to the authentication hook) then
fails to redirect the user back to the login page.  The browser actually
displays the following:


ody> <h1>Forbidden</h1> <p>You don't have permission to access /archive/
on this server.</p> <p>Additionally, a 200 OK error was encountered
while trying to use an ErrorDocument to handle the request.</p> <hr>
<address>Apache Server at www.psychonomic.org Port 80</address>
</body></html> HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 19:54:27 GMT
Server: Apache Keep-Alive: timeout=15, max=88 Connection: Keep-Alive
Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 fd6
<!-- psychonomic.org/templates/archive/frontpage.tmpl -->
(The code can be seen in action at http://www.psychonomic.org/archive )

Authorization only seems to fail 1 out of 50 times.  A similar error
happens when the 'Continue' button on the page is pressed repeatedly (5+
times) without checking the 'I agree' checkbox.

I only need to make sure the user has checked a box agreeing to the
website's terms and conditions.  I don't use any kind of user/pass
combinations.  

perl 5.8.8
apache 2.2.11
mod_perl 2.0.4


My module code is:

package TermsAndConditions;
use strict;
use Apache2::compat;
use base qw! Apache2::AuthCookie !;

sub authen_cred ($$\@) {
   my $self = shift;  # Package name (same as AuthName directive)
   my $r    = shift;  # Apache request object
   my @cred = @_;     # Credentials from login form

   return ( $cred[0] ? "authorized" : undef );
}

sub authen_ses_key ($$$) {
   my ($self, $r, $session_key) = @_;
   return 1;
}

1;

The relevant httpd.conf directives are:

<Directory /home/httpd/psychonomic.org/modperl_apps>
   <Files login.pl>
      SetHandler perl-script
      PerlHandler ModPerl::Registry
      Options +ExecCGI
      allow from all
      PerlSendHeader On
   </Files>
</Directory>


<Files logout.pl>
   SetHandler perl-script
   PerlHandler ModPerl::Registry
   Options +ExecCGI
   PerlSendHeader On
</Files>

## These documents require user to be logged in.
<Directory /home/httpd/psychonomic.org/html/archive>
    Options +ExecCGI
    AuthType TermsAndConditions
    AuthName PsychoMembers
    PerlAuthenHandler TermsAndConditions->authenticate
    PerlAuthzHandler TermsAndConditions->authorize
    require valid-user
    #SetHandler perl-script
    #PerlSendHeader On
</Directory>

##this is the action of the login.pl script above.
<Location /apps/LOGIN>
    AuthType TermsAndConditions
    AuthName PsychoMembers
    SetHandler perl-script
    PerlSendHeader On
    PerlResponseHandler TermsAndConditions->login
</Location>