You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Dan Axtell <da...@snet.net> on 2011/01/21 15:25:11 UTC
Authentication and cookies
I'm trying to upgrade mod_perl authentication/authorization handlers for
application menu to be more fine-grained by using cookies. The basic idea is
- restrict a script alias in httpd.conf with basic authentication calling the
custon handlers
- validate the user ID/password in the authentication handler, and look up
role and client access info; stash in cookie. If a valid cookie is already
there, authenticat
- in authorization, check for cookie, reset if it's not there, and authorize
based on role and client information
- in menu app, check for cookie, and configure output depending on user's
role.
What happens is that even though the browser shows a cookie with the correct
info, the menu ends up with a "no cookie found" error, and the logs show
neither the authorization handler nor app are seeing the cookie. Hitting
refresh on the menu shows both handlers seeing the cookie and the menu comes
up correctly.
I've tried using both CGI::Cookie and Apache2::Cookie; I get the same problem
either way. Currently the authentication handler sets the cookie as follows:
my $cookie = Apache2::Cookie->new($r, -name => 'ls_authentication',
value => { user_id => $user, digest => crypt($password,
$salt), role_id => $ur{role_id}, clients => $client_list });
if ($cookie) {
$cookie->bake($r);
} else {
warn "Unable to make cookie";
}
I get no warning, and the cookie looks fine in the browser's debug tool, but
the next handler and app just don't see it. This is how I try and read it in
the authorization handler:
my $jar = Apache2::Cookie::Jar->new($r);
my $cookie = $jar->cookies('ls_authentication');
if ($cookie) {
$have_cookie = 1;
my %fields = $cookie->value;
if ($fields{'user_id'}) {
$user = $fields{'user_id'};
}
if ( $fields{'role_id'} ) {
$user_role = $fields{'role_id'};
}
if ( $fields{'clients'} ) {
@user_clients = split(/,/, $fields{'clients'}); # turn client
list back into array
}
warn "AUTHORIZATION: found cookie, user ID = $user, user role =
$user_role" if $DEBUG;
} else {
warn "AUTHORIZATION: NO COOKIE FOUND" if $DEBUG;
}
I'm running Perl 5.12.1, Apache 2.2.17 and libapreq2 2.13 built from source.
Is using 'bake' insufficient to make the cookie visible by the next handler?
I've tried using both
$r->err_headers_out->set('Set-Cookie', $cookie);
and
$r->err_headers_out->addt('Set-Cookie', $cookie);
but I get the same problem.
Does anyone know of any up to date demos of using cookies in mod_perl2
authentication handlers?
Re: Authentication and cookies
Posted by Joe Schaefer <jo...@yahoo.com>.
OP, see
https://svn.apache.org/repos/infra/websites/cms/webgui/lib/ASF/CMS/Cookie.pm
for typical APR::Request::Cookie usage with FreezeThaw as serializer. Unless
you
want to use arrays this is one of the ways to deal with hashrefs as cookie
values.
In your calling code you'd do something like this
my $apreq = APR::Request::Apache2->handle($r);
my $jar = $apreq->jar;
$jar->cookie_class($cookie_package);
my $cookie = $jar->get('ls_authentication');
my $hashref = $cookie->thaw if $cookie;
...
----- Original Message ----
> From: André Warnier <aw...@ice-sa.com>
> To: mod_perl list <mo...@perl.apache.org>
> Sent: Sun, January 23, 2011 3:09:01 PM
> Subject: Re: Authentication and cookies
>
> Hi.
>
> This is a suggestion to solve what I understand of your problem, but slightly
>differently.
> (And I admit that it is because I do not know if you can do that with a
>cookie-jar, I have never tried; but what is below, I did try and it works).
>
> The idea is as follows.
> A cookie is useful in the sense that it is an "information store" which you
>can offload to the browser by means of a "Set-Cookie" header /at the moment
>when you send a response to the browser/, and of which you can be (almost) sure
>that when the browser sends its next request to your server, it will re-send
>this same cookie along with the new request (in a "Cookie" header.
> So it saves you from creating a local store on the server, and anyway have to
>manage some way for the browser to receive and send back some "session-id" that
>allows your server to retrieve the corresponding local store entry.
>
> But a cookie is less useful at the server level, as a means to save
>information between Apache (and mod_perl) request processing phases.
> For that, you have a better choice : the "pnotes".
> http://perl.apache.org/docs/2.0/api/Apache2/RequestUtil.html#C_pnotes_
>
> In your first handler (e.g. PerlAccessHandler), you get and decode the cookie
>sent by the browser; you store the user-id, and whatever else you have from the
>cookie, in a perl hash for example, and then store this perl hash as an entry in
>the $r->pnotes.
> $r->pnotes("key" => $hashref);
> In later phases of the same request, another handler can retrieve this same
>hash from the $hashref = $r->pnotes("key").
> E.g. in the PerlAuthenHandler, instead of decoding the cookie again, you
>retrieve the hash, and check the values stored in the hash.
> Same thing in a PerlAuthzHandler.
>
> Then right before you create the response to the user (e.g. a
>PerlFixupHandler), you retrieve this hash again, and you create the cookie to
>send along with the response, in the HTTP response headers.
>
> At the end of the request, the pnotes disappear automatically.
>
> Actually, it is a bit more complicated than that, because Web AAA is quite
>spaghetti-like in terms of logic. But that, I suppose, you have already found
>out.
>
>
>
> Dan Axtell wrote:
> > I'm trying to upgrade mod_perl authentication/authorization handlers for
>application menu to be more fine-grained by using cookies. The basic idea is
> > - restrict a script alias in httpd.conf with basic authentication calling
>the custon handlers
> > - validate the user ID/password in the authentication handler, and look up
>role and client access info; stash in cookie. If a valid cookie is already
>there, authenticat
> > - in authorization, check for cookie, reset if it's not there, and authorize
>based on role and client information
> > - in menu app, check for cookie, and configure output depending on user's
>role.
> >
> > What happens is that even though the browser shows a cookie with the correct
>info, the menu ends up with a "no cookie found" error, and the logs show
>neither the authorization handler nor app are seeing the cookie. Hitting
>refresh on the menu shows both handlers seeing the cookie and the menu comes up
>correctly.
> >
> > I've tried using both CGI::Cookie and Apache2::Cookie; I get the same
>problem either way. Currently the authentication handler sets the cookie as
>follows:
> >
> > my $cookie = Apache2::Cookie->new($r, -name => 'ls_authentication',
> value => { user_id => $user, digest => crypt($password, $salt),
>role_id => $ur{role_id}, clients => $client_list });
> > if ($cookie) {
> > $cookie->bake($r);
> > } else {
> > warn "Unable to make cookie";
> > }
> > I get no warning, and the cookie looks fine in the browser's debug tool,
>but the next handler and app just don't see it. This is how I try and read it
>in the authorization handler:
> >
> > my $jar = Apache2::Cookie::Jar->new($r);
> > my $cookie = $jar->cookies('ls_authentication');
> > if ($cookie) {
> > $have_cookie = 1;
> > my %fields = $cookie->value;
> > if ($fields{'user_id'}) {
> > $user = $fields{'user_id'};
> > }
> > if ( $fields{'role_id'} ) {
> > $user_role = $fields{'role_id'};
> > }
> > if ( $fields{'clients'} ) {
> > @user_clients = split(/,/, $fields{'clients'}); # turn
>client list back into array
> > }
> > warn "AUTHORIZATION: found cookie, user ID = $user, user role =
>$user_role" if $DEBUG;
> > } else {
> > warn "AUTHORIZATION: NO COOKIE FOUND" if $DEBUG;
> > }
> >
> >
> > I'm running Perl 5.12.1, Apache 2.2.17 and libapreq2 2.13 built from
>source. Is using 'bake' insufficient to make the cookie visible by the next
>handler? I've tried using both
> > $r->err_headers_out->set('Set-Cookie', $cookie);
> > and
> > $r->err_headers_out->addt('Set-Cookie', $cookie);
> > but I get the same problem.
> > Does anyone know of any up to date demos of using cookies in mod_perl2
>authentication handlers?
>
>
>
Re: Authentication and cookies
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
This is a suggestion to solve what I understand of your problem, but slightly differently.
(And I admit that it is because I do not know if you can do that with a cookie-jar, I have
never tried; but what is below, I did try and it works).
The idea is as follows.
A cookie is useful in the sense that it is an "information store" which you can offload to
the browser by means of a "Set-Cookie" header /at the moment when you send a response to
the browser/, and of which you can be (almost) sure that when the browser sends its next
request to your server, it will re-send this same cookie along with the new request (in a
"Cookie" header.
So it saves you from creating a local store on the server, and anyway have to manage some
way for the browser to receive and send back some "session-id" that allows your server to
retrieve the corresponding local store entry.
But a cookie is less useful at the server level, as a means to save information between
Apache (and mod_perl) request processing phases.
For that, you have a better choice : the "pnotes".
http://perl.apache.org/docs/2.0/api/Apache2/RequestUtil.html#C_pnotes_
In your first handler (e.g. PerlAccessHandler), you get and decode the cookie sent by the
browser; you store the user-id, and whatever else you have from the cookie, in a perl hash
for example, and then store this perl hash as an entry in the $r->pnotes.
$r->pnotes("key" => $hashref);
In later phases of the same request, another handler can retrieve this same hash from the
$hashref = $r->pnotes("key").
E.g. in the PerlAuthenHandler, instead of decoding the cookie again, you retrieve the
hash, and check the values stored in the hash.
Same thing in a PerlAuthzHandler.
Then right before you create the response to the user (e.g. a PerlFixupHandler), you
retrieve this hash again, and you create the cookie to send along with the response, in
the HTTP response headers.
At the end of the request, the pnotes disappear automatically.
Actually, it is a bit more complicated than that, because Web AAA is quite spaghetti-like
in terms of logic. But that, I suppose, you have already found out.
Dan Axtell wrote:
> I'm trying to upgrade mod_perl authentication/authorization handlers for
> application menu to be more fine-grained by using cookies. The basic idea is
> - restrict a script alias in httpd.conf with basic authentication calling the
> custon handlers
> - validate the user ID/password in the authentication handler, and look up
> role and client access info; stash in cookie. If a valid cookie is already
> there, authenticat
> - in authorization, check for cookie, reset if it's not there, and authorize
> based on role and client information
> - in menu app, check for cookie, and configure output depending on user's
> role.
>
> What happens is that even though the browser shows a cookie with the correct
> info, the menu ends up with a "no cookie found" error, and the logs show
> neither the authorization handler nor app are seeing the cookie. Hitting
> refresh on the menu shows both handlers seeing the cookie and the menu comes
> up correctly.
>
> I've tried using both CGI::Cookie and Apache2::Cookie; I get the same problem
> either way. Currently the authentication handler sets the cookie as follows:
>
> my $cookie = Apache2::Cookie->new($r, -name => 'ls_authentication',
> value => { user_id => $user, digest => crypt($password,
> $salt), role_id => $ur{role_id}, clients => $client_list });
> if ($cookie) {
> $cookie->bake($r);
> } else {
> warn "Unable to make cookie";
> }
>
> I get no warning, and the cookie looks fine in the browser's debug tool, but
> the next handler and app just don't see it. This is how I try and read it in
> the authorization handler:
>
> my $jar = Apache2::Cookie::Jar->new($r);
> my $cookie = $jar->cookies('ls_authentication');
> if ($cookie) {
> $have_cookie = 1;
> my %fields = $cookie->value;
> if ($fields{'user_id'}) {
> $user = $fields{'user_id'};
> }
> if ( $fields{'role_id'} ) {
> $user_role = $fields{'role_id'};
> }
> if ( $fields{'clients'} ) {
> @user_clients = split(/,/, $fields{'clients'}); # turn client
> list back into array
> }
> warn "AUTHORIZATION: found cookie, user ID = $user, user role =
> $user_role" if $DEBUG;
> } else {
> warn "AUTHORIZATION: NO COOKIE FOUND" if $DEBUG;
> }
>
>
> I'm running Perl 5.12.1, Apache 2.2.17 and libapreq2 2.13 built from source.
> Is using 'bake' insufficient to make the cookie visible by the next handler?
> I've tried using both
> $r->err_headers_out->set('Set-Cookie', $cookie);
> and
> $r->err_headers_out->addt('Set-Cookie', $cookie);
> but I get the same problem.
>
> Does anyone know of any up to date demos of using cookies in mod_perl2
> authentication handlers?
>