I started having an odd problem with a simple subclass of
Apache2::AuthCookie after a mod_perl upgrade.
When authorization fails, apache apparently returns a forbidden page to
the user (not just a forbidden status to the authentication hook) then
fails to redirect the user back to the login page. The browser actually
displays the following:
ody> <h1>Forbidden</h1> <p>You don't have permission to access /archive/
on this server.</p> <p>Additionally, a 200 OK error was encountered
while trying to use an ErrorDocument to handle the request.</p> <hr>
<address>Apache Server at www.psychonomic.org Port 80</address>
</body></html> HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 19:54:27 GMT
Server: Apache Keep-Alive: timeout=15, max=88 Connection: Keep-Alive
Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 fd6
<!-- psychonomic.org/templates/archive/frontpage.tmpl -->
(The code can be seen in action at http://www.psychonomic.org/archive )
Authorization only seems to fail 1 out of 50 times. A similar error
happens when the 'Continue' button on the page is pressed repeatedly (5+
times) without checking the 'I agree' checkbox.
I only need to make sure the user has checked a box agreeing to the
website's terms and conditions. I don't use any kind of user/pass
combinations.
perl 5.8.8
apache 2.2.11
mod_perl 2.0.4
My module code is:
package TermsAndConditions;
use strict;
use Apache2::compat;
use base qw! Apache2::AuthCookie !;
sub authen_cred ($$\ [at] ) {
my $self = shift; # Package name (same as AuthName directive)
my $r = shift; # Apache request object
my [at] cred = [at] _; # Credentials from login form
return ( $cred[0] ? "authorized" : undef );
}
sub authen_ses_key ($$$) {
my ($self, $r, $session_key) = [at] _;
return 1;
}
1;
The relevant httpd.conf directives are:
<Directory /home/httpd/psychonomic.org/modperl_apps>
<Files login.pl>
SetHandler perl-script
PerlHandler ModPerl::Registry
Options +ExecCGI
allow from all
PerlSendHeader On
</Files>
</Directory>
<Files logout.pl>
SetHandler perl-script
PerlHandler ModPerl::Registry
Options +ExecCGI
PerlSendHeader On
</Files>
## These documents require user to be logged in.
<Directory /home/httpd/psychonomic.org/html/archive>
Options +ExecCGI
AuthType TermsAndConditions
AuthName PsychoMembers
PerlAuthenHandler TermsAndConditions->authenticate
PerlAuthzHandler TermsAndConditions->authorize
require valid-user
#SetHandler perl-script
#PerlSendHeader On
</Directory>
##this is the action of the login.pl script above.
<Location /apps/LOGIN>
AuthType TermsAndConditions
AuthName PsychoMembers
SetHandler perl-script
PerlSendHeader On
PerlResponseHandler TermsAndConditions->login
</Location>
