Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I would like to be able to put a link on a page which would disable the user's current session causing Apache to request new authentication.

I've been searching for about a week or so and I'm am only coming across scripts and perl script handlers to add to Apache. Or just to use cookies.

I am trying to find a solution which does not need me to create cookies.

So, my question is, is there a way to somehow flush or invalidate the user's authentication information in the current session without closing their browser? Which will then make apache prompt the user when they go back to any of the pages that required authentication in the first place.

Thanks
  • Comment on Need help creating an Apache session logout script with Perl/CGI without the use cookies.

Replies are listed 'Best First'.
Re: Need help creating an Apache session logout script with Perl/CGI without the use cookies.
by cees (Curate) on Sep 07, 2003 at 05:23 UTC

    If you want to continue using basic authentication, then you can look into changing the authentication realm dynamically when you want a user to log out. The new realm will trigger the client to ask for new credentials to authenticate in the new realm.

    I don't know if your current method will allow that, but you could do it with a custom mod_perl Authentication Handler.

    Basic authentication is generally not considered that flexible when it comes to allowing users to log out, but the realm trick can work.

    Cees

[reply]
•Re: Need help creating an Apache session logout script with Perl/CGI without the use cookies.
by merlyn (Sage) on Sep 08, 2003 at 15:21 UTC
    There is no consistent reliable way to ensure that a browser will stop sending BasicAuth once properly authenticated.

    And since you ruled out cookies, that leaves you with managled URLs or hidden form elements as the only other ways of tracking session. Pick one, and use it. There's really no alternatives.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

[reply]
Re: Need help creating an Apache session logout script with Perl/CGI without the use cookies.
by sgifford (Prior) on Sep 07, 2003 at 03:16 UTC
    How are you doing authentication now?
[reply]
      I'm currently using authdbm in the Apache httpd.conf file. I was on the chatterbox and perrin pointed me to Apache::AuthCookieURL. If you know of another solution or have any examples I would greatly appreciate it.

      I am also running with mod_perl. I've seen someone mention using cookies but then using pathinfo instead do you have any information about that? I think they were using Apache::Session.

      I want to be able to make Apache reprompt the user for authentication if they go back to any of the restricted pages.
[reply]
        That's what I figured. You simply have to tell the browser the password was rejected; it should then discard the password they entered, and they'll be logged out. The error code that says "Sorry, wrong password!" is 401, so you want to create a script that will send back an appropriate 401 error, and then create a button or link that runs that script. The easiest way to figure out what to send is to manually conduct an HTTP conversation, and see what Apache sends when you don't give a password. That's pretty much what your script will have to send.

        For standard CGI scripts, you can set the status by including a 

        Status
        header. I'm not sure how to do it under mod_perl.
[reply]

Back to Seekers of Perl Wisdom