OK, so I've dusted off my 'Writing Apache Modules' book and set out to set up my first user login and resource authorization code (Linux 2.4.10, Apache 1.3.20). I'd like to avoid using cookies. I'd prefer to use basic auth so the browsers can hand the username and password stuff automatically, and all the authentication and authorization can be managed with Apache modules at the apropriate request phases.
So far not too bad. But I'm supposed to have sessions time-out after some amount of time. I'm having trouble conceiving a mothodology that doesn't use cookies, uses the standard basic auth (under an ssl site, BTW), and refuses auth if no activity past timeout period. I've been playing around with IPC::Sharable. I'm using a MySQL database to store usernames and passwords and such. I have a 'Session' table which includes a timestamp field. I've considered IPC::Shareable.
The best I've come up with using persistant session tracking without cookies will refuse auth after timeout, requiring the user to log in again. Where it fails is that if a user has closed the browser and returns to the site, they have to log in (basic auth), but then a timed out session is found for that user, and they would be asked to log in a second time.
So, does anyone know a way around this? Is there a way to know that a request is fresh (the first time a user fills in the username and password, rather than when the browser just hands it in automatically - looks the same in the header to my inexperienced eyes)? A way to hand a session key, or username/password or such back and forth between browser and server without using cookies? Is there a whole better way to do this? Or should I just give in and use cookies, and/or skip using basic Auth?
Pointers to docs/how-to's etc gladly accepted, and
TIA!
In reply to mod_perl authorization and time-outs ... without cookies? by spq
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |