in reply to Re^2: site access: Apache Basic auth vs. CGI::Session and cookies
in thread site access: Apache Basic auth vs. CGI::Session and cookies

It would seem somewhat simpler to not even bother with HTTP authorization and just use cookies and my own webapp code to decide whether users are logged in or out
No, don't go there, it does not make sense to have each and every web application manage session or authorization cookies.

The common solution is to setup an 1) Authentication and an 2) Authorization Handler, as Perl modules that are called by the (Apache) webserver upon each url request.

These modules have been written already, an example that you may want to have a look at is AuthCookieDBI.pm

The only thing left with your web application is that you might want to implement a logout button that simply makes a call to the Perl module to have the cookie invalidated. And you will want to create a login page somewhere. That's all.

  • Comment on Re^3: site access: Apache Basic auth vs. CGI::Session and cookies

Replies are listed 'Best First'.
Re^4: site access: Apache Basic auth vs. CGI::Session and cookies
by j3 (Friar) on Apr 10, 2007 at 16:02 UTC

    Thanks for the tip about the common solution varian. I'll keep reading. I still don't see the connection between using Apache and using cookies. I thought cookies were only for setting simple values that I'd be explicitly looking at later in my cgi scripts... but it sounds like there's a connection with the Apache/HTTP auth stuff that I'm unaware of so far.

[reply]

In Section Seekers of Perl Wisdom