Mailing List Archive: UN Authentication sugestions...

I'm not sure if everyone who answered the last question about this was
on the same pages, but several people suggested something like this. (I
think.)

my $q = CGI->new();

...

if ($q->param('act') eq 'Log in as someone else') {
$q->param(-name=>'act',-value=>'');
print $q->header(-status=>'401 HTTP_UNAUTHORIZED');
} else {
&something_else_that_works_just_fine;
}

Initially, this does what I want and forces the little browser dialog
requesting id and password. Unfortunately, it doesn't let them back in,
even if they use valid data to authenticate as another (or even the
same) user.

What am I missing????

I'm using .htacess and mod_auth_mysql (if that makes any difference),
NOT a PerlAuthHandler.

John

john@jsw4.net (John Walker) wrote:
>if ($q->param('act') eq 'Log in as someone else') {
> $q->param(-name=>'act',-value=>'');
> print $q->header(-status=>'401 HTTP_UNAUTHORIZED');
>} else {
>&something_else_that_works_just_fine;
>}
>
>Initially, this does what I want and forces the little browser dialog
>requesting id and password. Unfortunately, it doesn't let them back in,
>even if they use valid data to authenticate as another (or even the
>same) user.
>
>What am I missing????

The fact that you can't log someone out using Basic auth, because the browser
can easily keep the authentication tokens around and resend them. And it will,
if the user hits "reload." Also, your unsetting of the 'act' parameter has no
effect, because the user will never see the final data in $q (unless there's
more of your code that you didn't post).

I maintain that this would all be much easier if you used a different
authentication scheme, such as Apache::AuthCookie. Is this not an option or
something?

------------------- -------------------
Ken Williams Last Bastion of Euclidity
ken@forum.swarthmore.edu The Math Forum