tame1 has asked for the wisdom of the Perl Monks concerning the following question:

I need to make Apache run a short script when it goes into certain directories. The obvious thought is that somehow, something in the .htaccess file can be used to make it run the script.

Background: I work at a large company. They have a standardized security system (WSL Auth). If a site contains a .wslauth file, (only on NS Ent. Server), the .wslauth file will say what "group" of people can access the area. If the person doesn't have a cookie set, it sends them to the password server where they "log in", then back to their site where the WSL will then check that cookie's "group" against the allowed group.

My problem is that I am not running NS Ent. Server, I run Apache on Linux. However, everyone wants the other method because it means they only have to memorize one password. My current method means they have to remember a WSL one for the rest of the intranet, and one just for my system.

So, is it possible to make Apache run a perl script from the .htaccess file?
  • Comment on How to cause Apache's .htaccess file to run a Perl script

Replies are listed 'Best First'.
Re: How to cause Apache's .htaccess file to run a Perl script
by arturo (Vicar) on Mar 09, 2001 at 23:38 UTC

    Overpowered answer: yes, in mod_perl; the Apache request lifecycle has an authentication phase, and mod_perl allows you to install a 'handler' which gets called at the beginning of the authentication phase.

    Such a handler could check to see whether the directory corresponding to the requested URI has a .wsl file and do the required work.

    the drawback with this method is that mod_perl is wicked powerful and moderately complex.

[reply]
Re: How to cause Apache's .htaccess file to run a Perl script
by merlyn (Sage) on Mar 09, 2001 at 23:51 UTC
[reply]
Answer: How to cause Apache's .htaccess file to run a Perl script
by dws (Chancellor) on Mar 09, 2001 at 23:58 UTC
    I get the sense that what you're really trying to achieve is password protection for directories. You can easily set up password protection for directories using Apache, though it's not cookie based. See the Apache FAQ for details.

[reply]
      I already have password protection on directories, using Apache's htaccess system. What I need is one that can send the user temporarily to another site to enter their username/pass combo, which then sets a cookie. Then I need the Apache server to verify that cookie exists on subsequent visits.

      The expire time is set to '', causing them to have to re-visit the password site each time they open the browser.

      Is that making better sense?

      I have the C code used as a starting point, but it's not working and I am not a C person.

      What does this little button do . .<Click>; "USER HAS SIGNED OFF FOR THE DAY"
[reply]
[d/l]
        That's a combination that may be hard to work with. The last project that I used authentication and Apache together initially used .htaccess files, but we scrapped that in favor of cookie checking code in all pages where users are supposed to be logged in. Here's a simple overview of how it worked:

        Requests to index page were redirected to an SSL page that had a form for username/password entry. A successful username/password entry caused an entry with a generated session ID to be made in an Oracle database, and a cookie was sent back to the browser with the session ID. Once the username and password were authenticated, the user was redirected back to the "logged in" index page. All pages that required a user to be logged in had a bit of code included at the very top that checked the session ID and verified through the DB that the user was logged in. If the cookie was missing, or the user was not listed in the DB, the user was redirected back to the login page.
        Not exactly the best of solutions as far as scalability and speed goes, but it might be a good starting point.

        Guildenstern
        Negaterd character class uber alles!
[reply]

Back to Seekers of Perl Wisdom