mod_perl authorization and time-outs ... without cookies?

spq has asked for the wisdom of the Perl Monks concerning the following question:

OK, so I've dusted off my 'Writing Apache Modules' book and set out to set up my first user login and resource authorization code (Linux 2.4.10, Apache 1.3.20). I'd like to avoid using cookies. I'd prefer to use basic auth so the browsers can hand the username and password stuff automatically, and all the authentication and authorization can be managed with Apache modules at the apropriate request phases.

So far not too bad. But I'm supposed to have sessions time-out after some amount of time. I'm having trouble conceiving a mothodology that doesn't use cookies, uses the standard basic auth (under an ssl site, BTW), and refuses auth if no activity past timeout period. I've been playing around with IPC::Sharable. I'm using a MySQL database to store usernames and passwords and such. I have a 'Session' table which includes a timestamp field. I've considered IPC::Shareable.

The best I've come up with using persistant session tracking without cookies will refuse auth after timeout, requiring the user to log in again. Where it fails is that if a user has closed the browser and returns to the site, they have to log in (basic auth), but then a timed out session is found for that user, and they would be asked to log in a second time.

So, does anyone know a way around this? Is there a way to know that a request is fresh (the first time a user fills in the username and password, rather than when the browser just hands it in automatically - looks the same in the header to my inexperienced eyes)? A way to hand a session key, or username/password or such back and forth between browser and server without using cookies? Is there a whole better way to do this? Or should I just give in and use cookies, and/or skip using basic Auth?

Pointers to docs/how-to's etc gladly accepted, and
TIA!

Sean

Comment on mod_perl authorization and time-outs ... without cookies?

Replies are listed 'Best First'.
Re: mod_perl authorization and time-outs ... without cookies? by Fletch (Bishop) on Apr 19, 2002 at 21:15 UTC
Send session tokens in the URL rather than a cookie. Rewrite any URLs on your site to start with the session token (e.g. something like `/!3ccc23b0d33fdac693ae2771d72e85f2!/real/page`). Have a `PerlTransHandler` which strips out the token on incomming requests and stashes it with `$r->pnotes()`. The (excellent) mod_perl Developer's Cookbook (ISBN 0672322404) has a recipie (12.3) for doing just this.	[reply] [d/l] [select]
Re: mod_perl authorization and time-outs ... without cookies? by JayBonci (Curate) on Apr 19, 2002 at 21:53 UTC
Depending on how you want to work it, you could also use standard CGI.pm (instead of creating a perl handler to strip off URL info in mod_perl), by adding on to the url string like: `http://www.perlmonks.org/?user=jaybonci&session=1348213xsd24gf12341s\| +junk` [download] ...and then making sure all of your links and forms add the current session to the browser. This is avery common web practice. --jb	[reply] [d/l]
Re: Re: mod_perl authorization and time-outs ... without cookies? by TheHobbit (Pilgrim) on Apr 20, 2002 at 10:24 UTC
Hi, I don't like the ident in the URL, this make messy URLs :) (I agree, is a matter of personal taste). As in any case you have a script which filter your request, why don't use POST method and made the section id a hidden param? This leave you with the problem to force the person to retape his password. But this could be achieved (for instance) by aving the script generating the Realm name on a per-session base, so that when the session timeout, you start a new one which implies sending a new realm name to the client, so forcing it to ask again the password to the user. Disclaimer: I do not know if the above approach would work, nor if it is secure to do it. Cheers Leo TheHobbit GED/CS d? s-:++ a+ C++ UL+++ P+++>+++++ E+ W++ N+ o K? !w O? M V PS+++ PE-- Y+ PPG+ t++ 5? X-- R+ tv+ b+++ DI? D G++ e(++++) h r++ y+++()	[reply]
Re: mod_perl authorization and time-outs ... without cookies? by samtregar (Abbot) on Apr 19, 2002 at 23:39 UTC
Or should I just give in and use cookies, and/or skip using basic Auth? Yes, you should. Certainly there are ways to work around not using cookies, but why bother? This is one wheel that's not worth reinventing. -sam	[reply]
Re: Re: mod_perl authorization and time-outs ... without cookies? by Ryszard (Priest) on Apr 20, 2002 at 06:31 UTC
but why bother? This is one wheel that's not worth reinventing WAP devices such as phones/pdas that cannot take cookies People who want to turn cookies off to avoid being tracked IMO If I were to build a session management module that didnt use cookies, I would be putting the session id as a parameter, and rotating the sess_id each page view (to avoid replay). This is a nice easy and relatively secure method that will slot in easily with CGI.pm and anything you may have written already, all you have to do is substitute the cookie value for the param value!	[reply]