You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Sean Chittenden <se...@serverninjas.com> on 2000/02/15 18:22:20 UTC
Re: UN-Authenticating users?
This isn't entirely true. Below:
On Mon, 14 Feb 2000, Ken Williams wrote:
> Date: Mon, 14 Feb 2000 22:02:02 -0600
> From: Ken Williams <ke...@forum.swarthmore.edu>
> To: John Walker <jo...@jsw4.net>
> Cc: "'modperl@apache.org'" <mo...@apache.org>
> Subject: Re: UN-Authenticating users?
>
> john@jsw4.net (John Walker) wrote:
> >I'm writing some stuff with CGI under mod perl. The users have to
> >authenticate prior to even getting to the script... However, some of my
> >users have more than one login with separate privlidges... (provided by
> >the script). I want them to be able to log out and then log back in as
> >someone else, but I can't quite figure out how to "UN-Authenticate".
> >(DE-Authenticate?)
Send the user another request for authentication. The browser
doesn't know whether or not the username is valid or not, so it'll prompt
the user for username and password. I've done this in the past for
administrators who need to log in for users and it worked quite nicely.
> The login credentials are stored in the browser, and browsers don't
> provide any logout mechanism. It's been one of the most glaring
> oversights since version 1 of Netscape, in my opinion.
The main reason for this is because the browser doesn't know when
the credentials are invalid. Send a request for auth and the browser
assumes it's credentials are out of date/bad and it'll prompt the user.
> >I'm using CGI.pm under Apache::Registry, so I don't have a nice $r
> >object to see if I could do something like $c->user = ""; which I'm
> >guessing would barf anyway.
Ugh... CGI.pm? Any chance you could move the use of CGI.pm to
Apache::Request? 1001 times faster and doesn't have the code bloat of the
HTML generation.
--
Sean Chittenden
sean.chittenden@usa.net
CGI.pm comapred to Apache::Request (was Re: UN-Authenticating users?)
Posted by Sean Chittenden <se...@serverninjas.com>.
Take this with a grain of salt because I have a very DEEP bias
against CGI.pm.
Apache::Request is a module that you can get via CPAN. It's
purpose is to emulate the core functionality of CGI.pm, except that it
was written in C and consequently is a) much faster and b) has a much
smaller memory foot print. The ONLY downside to it that I have found (but
I never use this feature, so don't care at all) is that Apache::Request
does not allow you to build HTML. Since I use a template solution, I
don't care AT ALL about the lack of the HTML creation feature.
That being said, because CGI.pm is a bloated piece of code, I
typically rewrite or don't use modules that depend on CGI.pm because of
it's size (and because it's slow). Apache::Request behaves the same as
CGI.pm, but the manual will explain more of that when you install it. ;)
--SC
On Thu, 17 Feb 2000, Louis-David Mitterrand wrote:
> Date: Thu, 17 Feb 2000 14:43:33 +0100
> From: Louis-David Mitterrand <cu...@apartia.ch>
> Reply-To: ldm@aparima.com
> To: Sean Chittenden <se...@serverninjas.com>
> Cc: modperl@apache.org
> Subject: Re: UN-Authenticating users?
>
> On Tue, Feb 15, 2000 at 09:22:20AM -0800, Sean Chittenden wrote:
> > > >I'm using CGI.pm under Apache::Registry, so I don't have a nice $r
> > > >object to see if I could do something like $c->user = ""; which I'm
> > > >guessing would barf anyway.
> >
> > Ugh... CGI.pm? Any chance you could move the use of CGI.pm to
> > Apache::Request? 1001 times faster and doesn't have the code bloat of the
> > HTML generation.
>
> Sorry for the basic question but I'm still learning mod_perl's in and
> outs: what do you mean by "move the use of CGI.pm to Apache::Request" ?
>
> (I couldn't find a man page for Apache::Request on my Debian system)
>
> Cheers,
>
>
--
Sean Chittenden
sean.chittenden@usa.net
(408)530-0001
Re: UN-Authenticating users?
Posted by Louis-David Mitterrand <cu...@apartia.ch>.
On Tue, Feb 15, 2000 at 09:22:20AM -0800, Sean Chittenden wrote:
> > >I'm using CGI.pm under Apache::Registry, so I don't have a nice $r
> > >object to see if I could do something like $c->user = ""; which I'm
> > >guessing would barf anyway.
>
> Ugh... CGI.pm? Any chance you could move the use of CGI.pm to
> Apache::Request? 1001 times faster and doesn't have the code bloat of the
> HTML generation.
Sorry for the basic question but I'm still learning mod_perl's in and
outs: what do you mean by "move the use of CGI.pm to Apache::Request" ?
(I couldn't find a man page for Apache::Request on my Debian system)
Cheers,
--
Louis-David Mitterrand - ldm@aparima.com - http://www.aparima.com
"They told me I was gullible ... and I believed them!"
Re: UN-Authenticating users?
Posted by Ken Williams <ke...@forum.swarthmore.edu>.
sean@serverninjas.com (Sean Chittenden) wrote:
>On Mon, 14 Feb 2000, Ken Williams wrote:
>> john@jsw4.net (John Walker) wrote:
>> >I'm writing some stuff with CGI under mod perl. The users have to
>> >authenticate prior to even getting to the script... However, some of my
>> >users have more than one login with separate privlidges... (provided by
>> >the script). I want them to be able to log out and then log back in as
>> >someone else, but I can't quite figure out how to "UN-Authenticate".
>> >(DE-Authenticate?)
>
> Send the user another request for authentication. The browser
>doesn't know whether or not the username is valid or not, so it'll prompt
>the user for username and password. I've done this in the past for
>administrators who need to log in for users and it worked quite nicely.
It only works if you trust the user and you're just providing a convenience so
they don't have to quit the browser and relaunch. Otherwise a user can't be
forcibly logged out - hitting reload after your technique will let the user log
in again, at least with some browsers. All the browser has to do is re-send
the authentication tokens. Clearly anyone could use LWP or whatever to keep
sending the authentication tokens as long as they bloody well want to.
A more sophistocated model like Bryan's in which you store some persistent user
information in HTML forms could work, but then you're essentially emulating
cookies, and you might as well just use cookies.
------------------- -------------------
Ken Williams Last Bastion of Euclidity
ken@forum.swarthmore.edu The Math Forum