problem with Apache2::AuthCookie

problem with Apache2::AuthCookie

am 29.07.2009 21:32:19 von Brian Clarkson

I started having an odd problem with a simple subclass of
Apache2::AuthCookie after a mod_perl upgrade.

When authorization fails, apache apparently returns a forbidden page to
the user (not just a forbidden status to the authentication hook) then
fails to redirect the user back to the login page. The browser actually
displays the following:


ody>

Forbidden

You don't have permission to access /archive/
on this server.

Additionally, a 200 OK error was encountered
while trying to use an ErrorDocument to handle the request.


Apache Server at www.psychonomic.org Port 80

HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 19:54:27 GMT
Server: Apache Keep-Alive: timeout=15, max=88 Connection: Keep-Alive
Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 fd6

(The code can be seen in action at http://www.psychonomic.org/archive )

Authorization only seems to fail 1 out of 50 times. A similar error
happens when the 'Continue' button on the page is pressed repeatedly (5+
times) without checking the 'I agree' checkbox.

I only need to make sure the user has checked a box agreeing to the
website's terms and conditions. I don't use any kind of user/pass
combinations.

perl 5.8.8
apache 2.2.11
mod_perl 2.0.4


My module code is:

package TermsAndConditions;
use strict;
use Apache2::compat;
use base qw! Apache2::AuthCookie !;

sub authen_cred ($$\@) {
my $self = shift; # Package name (same as AuthName directive)
my $r = shift; # Apache request object
my @cred = @_; # Credentials from login form

return ( $cred[0] ? "authorized" : undef );
}

sub authen_ses_key ($$$) {
my ($self, $r, $session_key) = @_;
return 1;
}

1;

The relevant httpd.conf directives are:



SetHandler perl-script
PerlHandler ModPerl::Registry
Options +ExecCGI
allow from all
PerlSendHeader On





SetHandler perl-script
PerlHandler ModPerl::Registry
Options +ExecCGI
PerlSendHeader On


## These documents require user to be logged in.

Options +ExecCGI
AuthType TermsAndConditions
AuthName PsychoMembers
PerlAuthenHandler TermsAndConditions->authenticate
PerlAuthzHandler TermsAndConditions->authorize
require valid-user
#SetHandler perl-script
#PerlSendHeader On


##this is the action of the login.pl script above.

AuthType TermsAndConditions
AuthName PsychoMembers
SetHandler perl-script
PerlSendHeader On
PerlResponseHandler TermsAndConditions->login