Mailing List Archive

While it's true you can't force a logout, you can do a bit of a workaround
to force a relogin as another user. If you setup a particular CGI or
handler to accept the current userid as one of it's form parameters, you can
have it output Status 401 until the userid (REMOTE_USER) changes. A big
hack, but better than nothing...

Bryan

-----Original Message-----
From: Ken Williams <ken@forum.swarthmore.edu>
To: John Walker <john@jsw4.net>
Cc: 'modperl@apache.org' <modperl@apache.org>
Date: Monday, February 14, 2000 10:53 PM
Subject: Re: UN-Authenticating users?


>john@jsw4.net (John Walker) wrote:
>>I'm writing some stuff with CGI under mod perl. The users have to
>>authenticate prior to even getting to the script... However, some of my
>>users have more than one login with separate privlidges... (provided by
>>the script). I want them to be able to log out and then log back in as
>>someone else, but I can't quite figure out how to "UN-Authenticate".
>>(DE-Authenticate?)
>
>You can't do it with standard auth, you need cookie-based auth or another
>alternative. Check out Apache::AuthCookie.
>
>The login credentials are stored in the browser, and browsers don't provide
any
>logout mechanism. It's been one of the most glaring oversights since
version 1
>of Netscape, in my opinion.
>
>>I'm using CGI.pm under Apache::Registry, so I don't have a nice $r
>>object to see if I could do something like $c->user = ""; which I'm
>>guessing would barf anyway.
>
>You can call Apache->request() to get the $r object. But you're right,
that
>would barf.
>
> ------------------- -------------------
> Ken Williams Last Bastion of Euclidity
> ken@forum.swarthmore.edu The Math Forum
>
>

sean@serverninjas.com (Sean Chittenden) wrote:
>On Mon, 14 Feb 2000, Ken Williams wrote:
>> john@jsw4.net (John Walker) wrote:
>> >I'm writing some stuff with CGI under mod perl. The users have to
>> >authenticate prior to even getting to the script... However, some of my
>> >users have more than one login with separate privlidges... (provided by
>> >the script). I want them to be able to log out and then log back in as
>> >someone else, but I can't quite figure out how to "UN-Authenticate".
>> >(DE-Authenticate?)
>
> Send the user another request for authentication. The browser
>doesn't know whether or not the username is valid or not, so it'll prompt
>the user for username and password. I've done this in the past for
>administrators who need to log in for users and it worked quite nicely.

It only works if you trust the user and you're just providing a convenience so
they don't have to quit the browser and relaunch. Otherwise a user can't be
forcibly logged out - hitting reload after your technique will let the user log
in again, at least with some browsers. All the browser has to do is re-send
the authentication tokens. Clearly anyone could use LWP or whatever to keep
sending the authentication tokens as long as they bloody well want to.

A more sophistocated model like Bryan's in which you store some persistent user
information in HTML forms could work, but then you're essentially emulating
cookies, and you might as well just use cookies.


------------------- -------------------
Ken Williams Last Bastion of Euclidity
ken@forum.swarthmore.edu The Math Forum

On Tue, Feb 15, 2000 at 09:22:20AM -0800, Sean Chittenden wrote:
> > >I'm using CGI.pm under Apache::Registry, so I don't have a nice $r
> > >object to see if I could do something like $c->user = ""; which I'm
> > >guessing would barf anyway.
>
> Ugh... CGI.pm? Any chance you could move the use of CGI.pm to
> Apache::Request? 1001 times faster and doesn't have the code bloat of the
> HTML generation.

Sorry for the basic question but I'm still learning mod_perl's in and
outs: what do you mean by "move the use of CGI.pm to Apache::Request" ?

(I couldn't find a man page for Apache::Request on my Debian system)

Cheers,

--
Louis-David Mitterrand - ldm@aparima.com - http://www.aparima.com

"They told me I was gullible ... and I believed them!"

Louis-David,

I case it isn't clear from my message, I'm pretty new too. Anyway, I
cannot reccomend the eagle book enough. (I am not associated in any way
with the author or the publisher...other than this list.) About three
chapters in you'll understand the answer to your question very clearly.
Here's my attempt to paraphrase:

There are two ways to run scripts under mod_perl. One is to write a
"regular" perl script and to run it under Apache::Registry which is a
module that sets up a "CGI-like" environment. (Except that it's
blazingly fast because the scripts are compiled only once.)

You can also use mod_perl to write Apache handlers - they directly
handle requests to the server. An Apache handler actually participates
in the whole web sever process, directly intercepting the request,
manipulating it, and producing output from perl. Its cool because its
perl, and they give you access to the access to the guts of the user's
request.

Actually I guess there is limited access to the "request object" in both
methods, athough it seems a little less direct if one uses it in scripts
running under ::Registry. I think one of the advantages of NOT using the
resquest object for scripts running under ::Registry is that (in theory)
if one uses CGI.pm the scripts will run under mod_perl or "regular" CGI.
Although as Sean pointed out, the performance is different. But what the
heck? My code is usually large and unwieldy, I'm used to it. My memory
dealer loves me.<G>

Between the Eagle Book and Stas' guide, ( http://perl.apache.org/guide )
I have needed no other mod_perl documentation ... except the list ... to
write a fairly complex (for my first networked app) database
application.

Good Luck
John

> -----Original Message-----
> From: Louis-David Mitterrand [mailto:cunctator@apartia.ch]
> Sent: Thursday, February 17, 2000 8:44 AM
> To: Sean Chittenden
> Cc: modperl@apache.org
> Subject: Re: UN-Authenticating users?
>
>
> On Tue, Feb 15, 2000 at 09:22:20AM -0800, Sean Chittenden wrote:
> > > >I'm using CGI.pm under Apache::Registry, so I don't have
> a nice $r
> > > >object to see if I could do something like $c->user =
> ""; which I'm
> > > >guessing would barf anyway.
> >
> > Ugh... CGI.pm? Any chance you could move the use of CGI.pm to
> > Apache::Request? 1001 times faster and doesn't have the
> code bloat of the
> > HTML generation.
>
> Sorry for the basic question but I'm still learning mod_perl's in and
> outs: what do you mean by "move the use of CGI.pm to
> Apache::Request" ?
>
> (I couldn't find a man page for Apache::Request on my Debian system)
>
> Cheers,
>
> --
> Louis-David Mitterrand - ldm@aparima.com - http://www.aparima.com
>
> "They told me I was gullible ... and I believed them!"
>