perl-Apache-AuthCookie - Perl Authentication and Authorization via cookies

Property Value
Distribution openSUSE Tumbleweed
Repository openSUSE Oss all
Package filename perl-Apache-AuthCookie-3.27-1.2.noarch.rpm
Package name perl-Apache-AuthCookie
Package version 3.27
Package release 1.2
Package architecture noarch
Package type rpm
Category Development/Libraries/Perl
License Artistic-1.0 OR GPL-1.0-or-later
Maintainer -
Download size 106.23 KB
Installed size 219.45 KB
*Apache::AuthCookie* allows you to intercept a user's first unauthenticated
access to a protected document. The user will be presented with a custom
form where they can enter authentication credentials. The credentials are
posted to the server where AuthCookie verifies them and returns a session
The session key is returned to the user's browser as a cookie. As a cookie,
the browser will pass the session key on every subsequent accesses.
AuthCookie will verify the session key and re-authenticate the user.
All you have to do is write a custom module that inherits from AuthCookie.
Your module is a class which implements two methods:
* 'authen_cred()'
Verify the user-supplied credentials and return a session key. The session
key can be any string - often you'll use some string containing username,
timeout info, and any other information you need to determine access to
documents, and append a one-way hash of those values together with some
secret key.
* 'authen_ses_key()'
Verify the session key (previously generated by 'authen_cred()', possibly
during a previous request) and return the user ID. This user ID will be fed
to '$r->connection->user()' to set Apache's idea of who's logged in.
By using AuthCookie versus Apache's built-in AuthBasic you can design your
own authentication system. There are several benefits.
* 1.
The client doesn't *have* to pass the user credentials on every subsequent
access. If you're using passwords, this means that the password can be sent
on the first request only, and subsequent requests don't need to send this
(potentially sensitive) information. This is known as "ticket-based"
* 2.
When you determine that the client should stop using the
credentials/session key, the server can tell the client to delete the
cookie. Letting users "log out" is a notoriously impossible-to-solve
problem of AuthBasic.
* 3.
AuthBasic dialog boxes are ugly. You can design your own HTML login forms
when you use AuthCookie.
* 4.
You can specify the domain of a cookie using PerlSetVar commands. For
instance, if your AuthName is 'WhatEver', you can put the command
PerlSetVar WhatEverDomain
into your server setup file and your access cookies will span all hosts
ending in ''.
* 5.
You can optionally specify the name of your cookie using the 'CookieName'
directive. For instance, if your AuthName is 'WhatEver', you can put the
PerlSetVar WhatEverCookieName MyCustomName
into your server setup file and your cookies for this AuthCookie realm will
be named MyCustomName. Default is AuthType_AuthName.
* 6.
By default users must satisfy ALL of the 'require' directives. If you want
authentication to succeed if ANY 'require' directives are met, use the
'Satisfy' directive. For instance, if your AuthName is 'WhatEver', you can
put the command
PerlSetVar WhatEverSatisfy Any
into your server startup file and authentication for this realm will
succeed if ANY of the 'require' directives are met.
This is the flow of the authentication handler, less the details of the
redirects. Two REDIRECT's are used to keep the client from displaying the
user's credentials in the Location field. They don't really change
AuthCookie's model, but they do add another round-trip request to the
(-----------------------)     +---------------------------------+
( Request a protected   )     | AuthCookie sets custom error    |
( page, but user hasn't )---->| document and returns            |
( authenticated (no     )     | FORBIDDEN. Apache abandons      |
( session key cookie)   )     | current request and creates sub |
(-----------------------)     | request for the error document. |<-+
| Error document is a script that |  |
| generates a form where the user |  |
return        | enters authentication           |  |
^------------------->| credentials (login & password). |  |
/ \      False        +---------------------------------+  |
/   \                                   |                   |
/     \                                  |                   |
/       \                                 V                   |
/         \               +---------------------------------+  |
/   Pass    \              | User's client submits this form |  |
/   user's    \             | to the LOGIN URL, which calls   |  |
| credentials |<------------| AuthCookie->login().            |  |
\     to      /             +---------------------------------+  |
\authen_cred/                                                   |
\ function/                                                    |
\       /                                                     |
\     /                                                      |
\   /            +------------------------------------+     |
\ /   return    | Authen cred returns a session      |  +--+
V------------->| key which is opaque to AuthCookie.*|  |
True     +------------------------------------+  |
|                  |
+--------------------+         |      +---------------+
|                    |         |      | If we had a   |
V                    |         V      | cookie, add   |
+----------------------------+  r |         ^      | a Set-Cookie  |
| If we didn't have a session|  e |T       / \     | header to     |
| key cookie, add a          |  t |r      /   \    | override the  |
| Set-Cookie header with this|  u |u     /     \   | invalid cookie|
| session key. Client then   |  r |e    /       \  +---------------+
| returns session key with   |  n |    /  pass   \               ^
| successive requests        |    |   /  session  \              |
+----------------------------+    |  /   key to    \    return   |
|                    +-| authen_ses_key|------------+
V                       \             /     False
+-----------------------------------+ \           /
| Tell Apache to set Expires header,|  \         /
| set user to user ID returned by   |   \       /
| authen_ses_key, set authentication|    \     /
| to our type (e.g. AuthCookie).    |     \   /
+-----------------------------------+      \ /
(---------------------)              ^
( Request a protected )              |
( page, user has a    )--------------+
( session key cookie  )
*  The session key that the client gets can be anything you want.  For
example, encrypted information about the user, a hash of the
username and password (similar in function to Digest
authentication), or the user name and password in plain text
(similar in function to HTTP Basic authentication).
The only requirement is that the authen_ses_key function that you
create must be able to determine if this session_key is valid and
map it back to the originally authenticated user ID.


Package Version Architecture Repository
perl-Apache-AuthCookie - - -


Name Value
perl(:MODULE_COMPAT_5.28.1) -
perl(Class::Load) >= 0.03
perl(HTTP::Body) -
perl(Hash::MultiValue) -
perl(Test::More) >= 0.94
perl(WWW::Form::UrlEncoded) -


Name Value
perl(Apache2::AuthCookie) = 3.27
perl(Apache2::AuthCookie::Base) = 3.27
perl(Apache2::AuthCookie::Params) = 3.27
perl(Apache2_4::AuthCookie) = 3.27
perl(Apache::AuthCookie) = 3.27
perl(Apache::AuthCookie::Params) = 3.27
perl(Apache::AuthCookie::Params::Base) = 3.27
perl(Apache::AuthCookie::Params::CGI) = 3.27
perl(Apache::AuthCookie::Util) = 3.27
perl-Apache-AuthCookie = 3.27-1.2


Type URL
Binary Package perl-Apache-AuthCookie-3.27-1.2.noarch.rpm
Source Package perl-Apache-AuthCookie-3.27-1.2.src.rpm

Install Howto

Install perl-Apache-AuthCookie rpm package:

# zypper install perl-Apache-AuthCookie




2018-02-07 -
- updated to 3.27
see /usr/share/doc/packages/perl-Apache-AuthCookie/Changes
3.27  2017-07-28
- Fix POD spelling error [#118545].
3.26  2016-09-30
- remove unused module Apache::AuthCookie::Autobox from dist
- remove dependency. has been removed from perl core, which
was the primary reason we used it in the first place.  Replaced with
dependency on lighter weight set of three modules:
* HTTP::Body
* WWW::Form::UrlEncoded
* Hash::MultiValue
Also recommended (but not required) is WWW::Form::UrlEncoded::XS
- Add optional support for charset encoding.  If you have something like
PerlSetVar MyAuthNameEncoding UTF-8
Then AuthCookie with now automatically decode parameters using the given
encoding now. AuthCookie params() data will be decoded automatically if
this is on.  See details in AuthCookie module documentation.  In addition
r->user will be encoded (using byte semantics) using this encoding.
* **** IMPORTANT *****
If you turn this on, this could break your code.  r->user() will now be
byte encoded using the given encoding.  If you use usernames that contain
non-ascii characters you either need to use decoded_user(), or decode
r->user() yourself in your subclasses.
See the AuthCookie docs for more details.
- add optional support for decoding httpd.conf requires directives. This is
enabled with a RequiresEncoding setting:
PerlSetVar MyAuthNameRequiresEncoding UTF-8
Then decoded_requires($r) will return the decoded value of $r->requires
You only need this if you have non-ascii characters in your requires
directives such as:
Requires user programmør
- add decoded_user($r) method to get the value of r->user decoded using
character semantics instead of bytes.  Due to the fact that r->user is a C
API method we cannot get character semantics on r->user directly.  If no
Encoding directive is in effect, then this is the same as r->user.
- add encoding($r): string which returns the value of the Encoding directive
that is in effect for the current request.
2016-08-31 -
- updated to 3.25
see /usr/share/doc/packages/perl-Apache-AuthCookie/Changes
3.25  2016-08-30
- 2.4: fix POD typo and add missing ABSTRACT
- reorganize real.t tests into subtests
- make sure signature test ignores generated files
- remove autobox dependency
- fix authenticate so that r->user is copied from r->main on subrequests.
Previously this was only done for internal redirects (r->prev is defined).
This fixes DirectoryIndexes on AuthCookie enabled directories under apache
2016-01-19 -
- updated to 3.24
see /usr/share/doc/packages/perl-Apache-AuthCookie/Changes
3.24  2016-01-13
- Update Apache 2.4 README, flesh out guts of Authz Provider notes.
- Improve Apache 2.4 README's AuthzProvider documentation
- Add POD to Apache2_4::AuthCookie
- Add FAQ to Apache2_4::AuthCookie documenation
- 2.4: document that PerlAddAuthzProvider is only needed for *custom* Requires directives.
- 2.4: make authz_handler recognize multiple usernames in the directive like
mod_authz_user does.
- add test case for internal authz_handler
- explicitly require Apache::Test 1.39 so that APACHE2_4 defines are set
2015-12-26 -
- updated to 3.23
see /usr/share/doc/packages/perl-Apache-AuthCookie/Changes
3.23  2015-09-10
- Improve CGI mode param() handling to avoi's "param() called in list context" warning.
- add support for Apache 2.4 via mod_perl 1.09.
* **** IMPORTANT *****
Apache 2.4 has a *VERY* different API for authentication.  You will need
to port your subclass and configuration over to the Apache 2.4 API in
order to use Apache 2.4!  Please be sure to read README.apache-2.4.pod for
porting instructions!
2015-04-14 -
- updated to 3.22
see /usr/share/doc/packages/perl-Apache-AuthCookie/Changes
3.22  2014-05-07
3.21  2014-05-07
- Bad release - deleted

See Also

Package Description
perl-Apache-DBI-1.12-1.8.noarch.rpm Initiate a persistent database connection
perl-Apache-Filter-1.024-239.8.i586.rpm Alter the output of previous handlers
perl-Apache-Filter-1.024-239.8.x86_64.rpm Alter the output of previous handlers
perl-Apache-LogFormat-Compiler-0.35-1.4.noarch.rpm Compile a log format string to perl-code
perl-Apache-Session-1.93-1.8.noarch.rpm A persistence framework for session data
perl-Apache-SessionX-2.01-244.8.i586.rpm Persistent Storage for Arbitrary Data (for Embperl)
perl-Apache-SessionX-2.01-244.8.x86_64.rpm Persistent Storage for Arbitrary Data (for Embperl)
perl-Apache2-AuthCookieDBI-2.17-5.10.noarch.rpm An AuthCookie module backed by a DBI database.
perl-App-Ack-2.28-1.1.noarch.rpm Grep-Like Text Finder Perl Module
perl-App-CELL-0.222-1.5.noarch.rpm Configuration, Error-handling, Localization, and Logging
perl-App-CLI-0.50-1.3.noarch.rpm Dispatcher module for command line interface programs
perl-App-Cmd-0.331-1.5.noarch.rpm Write Command Line Apps with Less Suffering
perl-App-Dochazka-CLI-0.238-1.12.noarch.rpm Dochazka command line client
perl-App-Dochazka-Common-0.208-1.3.noarch.rpm Dochazka Attendance and Time Tracking System shared modules
perl-App-Dochazka-REST-0.551-1.4.noarch.rpm Dochazka REST server