htaccess using AuthCookieDBI not protecting the directory index

htaccess using AuthCookieDBI not protecting the directory index

am 14.09.2009 11:07:25 von Tosh Cooey

Hi, I posted the follow to the mod_perl list:

I'm trying to protect a directory using Apache2::AuthCookieDBI with the
following .htaccess (I have to use htaccess)

--------------------
PerlModule Apache2::AuthCookieDBI
PerlSetVar berlinPath /berlin/
PerlSetVar berlinLoginScript /login.pl

PerlSetVar berlinSessionTimeout +2h

PerlSetVar berlinDBI_DSN "DBI:mysql:database=berlin"
PerlSetVar berlinDBI_SecretKey "secret"

# DBI access stuff...
PerlSetVar berlinDBI_User "user"
.... etc ...

# Protected by AuthCookieDBI.
AuthType Apache2::AuthCookieDBI
AuthName berlin
PerlAuthenHandler Apache2::AuthCookieDBI->authenticate
PerlAuthzHandler Apache2::AuthCookieDBI->authorize
require valid-user

# Login location.

AuthType Apache2::AuthCookieDBI
AuthName berlin
SetHandler perl-script
PerlHandler Apache2::AuthCookieDBI->login

--------------------

When I go to my protected URL www.myserver.com/berlin/ I am presented
with the login form which I've added some status variables to, the
status is that there is no cookie present, which is to be expected since
nothing has been set yet. Once I send authentication variables I am
still not logged in and I'm given a new URL
www.myserver.com/berlin/LOGIN which is still expected behaviour, but the
status variable is still "no cookie" which means no cookie is being
set. This makes me suspect that I am just dumb and doing something
super-basic wrong, but I can't figure it out.

Vegard Vesterheim on the mod_perl list suggested the cause was "related
to Apache issuing subrequests for directory requests. Check out this
thread: http://marc.info/?t=119996312400002&r=1&w=2 "

If this is true then I have trouble believing that this issue hasn't
been addressed at the module level (AuthCookieDBI) since protecting
various directories seems pretty standard.

Anyway, my solution for now is to just protect the *.pl files "\.(pl)$"> and redirect the index to index.pl which is not elegant but
works. Is there a better way?

Thank-you!

Tosh


--
McIntosh Cooey - Twelve Hundred Group LLC - http://www.1200group.com/

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org