in reply to Need help creating an Apache session logout script with Perl/CGI without the use cookies.

How are you doing authentication now?
  • Comment on Re: Need help creating an Apache session logout script with Perl/CGI without the use cookies.

Replies are listed 'Best First'.
Re: Re: Need help creating an Apache session logout script with Perl/CGI without the use cookies.
by robbin (Initiate) on Sep 07, 2003 at 03:39 UTC
    I'm currently using authdbm in the Apache httpd.conf file. I was on the chatterbox and perrin pointed me to Apache::AuthCookieURL. If you know of another solution or have any examples I would greatly appreciate it.

    I am also running with mod_perl. I've seen someone mention using cookies but then using pathinfo instead do you have any information about that? I think they were using Apache::Session.

    I want to be able to make Apache reprompt the user for authentication if they go back to any of the restricted pages.
[reply]
      That's what I figured. You simply have to tell the browser the password was rejected; it should then discard the password they entered, and they'll be logged out. The error code that says "Sorry, wrong password!" is 401, so you want to create a script that will send back an appropriate 401 error, and then create a button or link that runs that script. The easiest way to figure out what to send is to manually conduct an HTTP conversation, and see what Apache sends when you don't give a password. That's pretty much what your script will have to send.

      For standard CGI scripts, you can set the status by including a 

      Status
      header. I'm not sure how to do it under mod_perl.
[reply]

        I think you need also to specify the realm, so a simple cgi script may not suffice, though I haven't tested it. It is simplier to use Apache: create another protected area with the same realm (same AuthName), but with an empty passwd file, and redirect there users that want to log out:

          <Location "/protected">
    ErrorDocument   401     /docs/register.html
    Order deny,allow
    Deny from all
    AuthType Basic
    AuthUserFile /path/to/real/passwd
    AuthName "Protected Area"
    Require valid-user
    satisfy any
  </Location>

  <Location "/protected/logout">
    ErrorDocument   401     /docs/loggedout.html
    Order deny,allow
    Deny from all
    AuthType Basic
    AuthUserFile /path/to/empty/passwd
    AuthName "Protected Area"
    Require valid-user
    satisfy any
  </Location>

        [download]

        You can also use Apache ErrorDocument directive to show user friendly messages.

        I don't like this solution because it forces final users to fail a login to be logged out. With mod_perl it is possible to build very neat and sophisticated authentication systems; chapter 6 of Writing Apache Modules with Perl and C is about Authentication & Authorization and is available online here.

        HTH, Valerio

[reply]
[d/l]
[select]
        So if I'm following sgifford correctly, this should do it: 
        print "Status: 401\n";
print "Redirect: $0\n";

        [download]


        (the redirect header might not be the exact syntax.. I forget)
[reply]
[d/l]

In Section Seekers of Perl Wisdom