You are viewing a plain text version of this content. The canonical link for it is here.
Posted to embperl@perl.apache.org by Sam Michel <sa...@chinwag.com> on 2002/02/04 13:20:09 UTC
Login/Authentication Advice
Hello All,
Apologies in advance if this is a naive/stupid question.
I'm after opinions on the best way to handle cookie and non-cookie-based
authentication. Basically I have to put together a system where visitors
must login to view protected pages. If they tick a box, the login process
will set a cookie, which will authenticate them on future visits
automatically. I don't need to store any other information about their
session as they're just viewing normal HTML pages or performing basic admin.
The platform is Linux using a recent version of Apache with mod_perl
installed.
As far as I can work out, there's two options:
Option One - Embperl's Built-In Session
I can use Embperl's built-in session management functions to check their
login information and then set up a session with a long expiry time. This
could then be used to log them in automatically each time they return to the
website, until the cookie expires. However, this relies on the user having
cookies enabled. Although the number of people with cookies disabled is
relatively small for this website, the site must still be usable without
cookies, so I'd also have to provide some form of simple login, checking
with the database and then authenticating the user into the Apache session.
Option Two - Use Apache::AuthCookie
Install and configure Apache::AuthCookie to handle the authentication
process. As I understand it, this would authenticate the user into their
Apache session and set up a cookie (if they have cookies enabled), which
would allow automatic login next time they visit the website (providing the
cookie hasn't expired).
My questions are:
* Which is the better solution, both in terms of setting it up and also
efficiency of use?
* Have I missed anything? Is there something obvious I need to add to make
this work?
Any help is very much appreciated. Sorry if this has been asked before, but
I checked the list archives and couldn't find anything similar.
Toodle Pip
Sam
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Login/Authentication Advice
Posted by David Lloyd <ll...@rebel.net.au>.
LOL
> will be protected. If you use Embperl session management you have to test if
> the user is logged in in every page before you can do the real work. On the
> other side useing Embperl session data gives you some more flexibility,
> because you have some more control what happens to un authorizied users.
Wonders whether Gerald has developed the "shoot naughty users with big
gun" module yet...or the "tie up and tickle with feathers hash"...or...
--
Train comes I don't know it's destination...
It's a one way ticke to a mad man's situation!
(Overload - Sugababes)
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: Login/Authentication Advice
Posted by Gerald Richter <ri...@ecos.de>.
>
> My questions are:
>
> * Which is the better solution, both in terms of setting it up and also
> efficiency of use?
> * Have I missed anything? Is there something obvious I need to add to make
> this work?
>
Both solutions will work. The advantage of Apache::AuthCookie is that steps
in at the Apache Authorisation phase, so you can restrict access not only to
Embperl pages, but to all documents, pictures whatever and you can configure
it once and forget about it, because every document in the protected area
will be protected. If you use Embperl session management you have to test if
the user is logged in in every page before you can do the real work. On the
other side useing Embperl session data gives you some more flexibility,
because you have some more control what happens to un authorizied users.
Gerald
-------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: richter@ecos.de Voice: +49 6133 925131
WWW: http://www.ecos.de Fax: +49 6133 925152
-------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org