htaccess using AuthCookieDBI not protecting the directory index

htaccess using AuthCookieDBI not protecting the directory index

am 07.09.2009 20:04:05 von Tosh Cooey

Hi, I either have the strangest issue or else I've made a blindingly
obvious error.

I'm trying to protect a directory using Apache2::AuthCookieDBI using the
following .htaccess (I have to use htaccess)

--------------------
PerlModule Apache2::AuthCookieDBI
PerlSetVar berlinPath /berlin/
PerlSetVar berlinLoginScript /login.pl

PerlSetVar berlinSessionTimeout +2h

PerlSetVar berlinDBI_DSN "DBI:mysql:database=berlin"
PerlSetVar berlinDBI_SecretKey "secret"

# DBI access stuff...
PerlSetVar berlinDBI_User "user"
.... etc ...

# Protected by AuthCookieDBI.
AuthType Apache2::AuthCookieDBI
AuthName berlin
PerlAuthenHandler Apache2::AuthCookieDBI->authenticate
PerlAuthzHandler Apache2::AuthCookieDBI->authorize
require valid-user

# Login location.

AuthType Apache2::AuthCookieDBI
AuthName berlin
SetHandler perl-script
PerlHandler Apache2::AuthCookieDBI->login

--------------------

When I go to my protected URL www.myserver.com/berlin/ I am presented
with the login form which I've added some status variables to, the
status is that there is no cookie present, which is to be expected since
nothing has been set yet. Once I send authentication variables I am
still not logged in and I'm given a new URL
www.myserver.com/berlin/LOGIN which is still expected behaviour, but the
status variable is still "no cookie" which means no cookie is being
set. This makes me suspect that I am just dumb and doing something
super-basic wrong, but I can't figure it out.

Ultimately I just need to protect the *.pl files in that directory and
if I wrap the Auth section in:



then calls to www.myserver.com/berlin/index.pl are challenged and
actually the authentication works fine, BUT then the index isn't
protected: www.myserver.com/berlin/ leaving me to wonder how on earth to
protect the index. I didn't want to ask anyone because this seems like
such a trivial and n00b issue but for the life of me I can't figure it out.

So I'd be really happy with one of two solutions, either how to protect
the index, even just cause it to redirect to index.pl, or some deeper
help with the htaccess file above.

Thanks to everyone!

Tosh

--
McIntosh Cooey - Twelve Hundred Group LLC - http://www.1200group.com/

Re: htaccess using AuthCookieDBI not protecting the directory index

am 07.09.2009 21:30:22 von Vegard Vesterheim

On Mon, 07 Sep 2009 20:04:05 +0200 Tosh Cooey wrote:

> Hi, I either have the strangest issue or else I've made a blindingly
> obvious error.
>
> I'm trying to protect a directory using Apache2::AuthCookieDBI using the
> following .htaccess (I have to use htaccess)

Sounds similar to a problem I encountered using
Apache2::AuthCookieDBI. In my case it was related to Apache issuing
subrequests for directory requests. Check out this thread:

http://marc.info/?t=119996312400002&r=1&w=2

My fix was to override the authenticate method to explicitly set the user for
subrequests, something like this:
....
my $status = $self->SUPER::authenticate($r);
$r->user($r->main->user) if (defined $r->main and defined $r->main->user);
...

- Vegard V -