Mailing List Archive: Bricolage: devel

Session cookie, auth cookie...

Index | Next | Previous | View Threaded

cyril.sudre at edf

Mar 5, 2010, 4:24 AM

Post #1 of 2 (636 views)
Permalink

Session cookie, auth cookie...

Hi,

I'd like to make parts of Bricolage accessible withou login, but have any
previoulsy logged user recognized. Let me explain :

Actually, all pages are protected via Bric::App::AccessHandler. I'd like
to restrict this protection in a subarea, and let, for example, ANY user
to see pages under document_roo t( "/" ).

When uri is /protected, the user is redirected to login form and
authentified. When user go back to non-protected area, the login is still
valid (for the period specified in AUTH_TTL), and can be displayed in a
head banner, for example.

Something like :

<location />
PerlAuthenHandler Bric::App::AccessHandler::newmethod
(anything that recognize user)
PerlResponseHandler Bric::App::Handler
</location>

<location /protected>
PerlAuthenHandler Bric::App::AccessHandler
PerlResponseHandler Bric::App::Handler
</location>

But this would just map session id to storage, without setting any
recognized user (from BRIC_AUTH cookie).

Do I have to implement a new method in AccessHandler for that (something
like Bric::App::AccessHandler->connected)?

Why can't we just a session cookie with a expiration, instead of having a
separate auth cookie?

Thank's in advance for your response, I'm not quite used with ticket based
authentication.

Cyril

david at kineticode

Mar 5, 2010, 9:05 AM

Post #2 of 2 (568 views)
Permalink

Re: Session cookie, auth cookie... [In reply to]

On Mar 5, 2010, at 4:24 AM, Cyril SUDRE wrote:

> Hi,
>
> I'd like to make parts of Bricolage accessible withou login, but have any
> previoulsy logged user recognized. Let me explain :

Your explanation is how (or leading up to a question as to how). But let me ask you this: why?

> Do I have to implement a new method in AccessHandler for that (something
> like Bric::App::AccessHandler->connected)?

Yes, I think so. Note how we already allow anyone to access /media via this bit:

push @locs,
" <Location /media>\n" .
" SetHandler default-handler\n" .
" PerlAccessHandler Apache::OK\n" .
" PerlCleanupHandler Apache::OK$fix\n" .
" </Location>";

So you could use Apache::OK just to give someone access to /, and if you wanted to do anything else than just blindly accept any connection, you would need to write a custom accesshandler method, yes.

> Why can't we just a session cookie with a expiration, instead of having a
> separate auth cookie?

I think it's because they serve two distinct purposes. The auth cookie is validated on every request, and thus stores a hash to be validated. Also, you may not want your session data to be expired just because you logged out.

> Thank's in advance for your response, I'm not quite used with ticket based
> authentication.

HTH,

David

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads