theirpuppet has asked for the wisdom of the Perl Monks concerning the following question:

My problem is that I need to provide cross-realm authentication. A script in one domain, will authenticate and redirect users to different domains. This is for webmail, and cross realm is a necessity.

So i've got my first script, it lives in one domain, everyone comes there and fills in their user/pass. It then validates this info and then redirects the user to a script living in the domain of choice (this is defined per user along with their user/pass). The second script will then will either set a cookie or be the PerlAuthenHandler to actually grant the access token. Cookies and Basic HTTP Auth aren't cross-realm, so a trick like this is necessary. Besides, it's what I think Hotmail/Passport is doing.

So, because sensitive info will be passed around (i'll be passing encrypted data and stuff for validation) between the first and second script, i'd rather it not be a GET request. How can I send a redirect to the browser and have it submit my info as a POST request to the second script?

Replies are listed 'Best First'.
Re: POST redirect for auth
by valdez (Monsignor) on Jan 22, 2003 at 14:37 UTC

    If I recall correctly, it's impossible to issue a redirect with POST (see section 10.3 of RFC 2616); in other words, you can't use a Location header to issue a POST redirect. However you can ask the browser to redirect a POST request.

    A possible solution is the use of tickets: redirect users to their destination with a "one time code", that the final server can use to verify identity (contacting the login server behind the scenes).

    Ciao, Valerio

[reply]

Back to Seekers of Perl Wisdom