This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: modperl@apache.org
From: Jon Robison <jon.robison@uniphied.com>
Subject: Deleting a cookie
Date: Tue, 27 Nov 2001 08:21:48 -0500
I have created a login system using the wonderful Ticket system from the
Eagle book. I have modified TicketAccess so that after authentication,
it reviews the arguments in the query string and does push_handler, the
handler being chosen based on the args.
My only problem is that I want to provide the users with a logout button
which will delete the cookie from thier browser, yet I cannot find how!.
I have reviewed every module on my system with 'Cookie' in the name
(Apache::Cookie, CGI::Cookie, etc.) and nowhere does it tell how to do
this. There is a small mention of changing the expiration to < 0, but
apparently I am doing it wrong (possible confusing point is the use of
an 'expires' value in the cookie itself, seperate, I think, from the
'expires' attribute on the cookie?)
I know it is a lot to ask, but I am relatively new to this part of
mod_perl (pushing handlers, etc.), so if anyone can look at this and
replace my BLOCKED comments with a couple of helpfull lines, I would
greatly appreciate it!
Thanks in advance -
Jonathon Robison
Below is my modified TicketAccess, as well as the Logout module I am
re-directing to for logout action:
=========================================================
package FES::Apache::TicketAccess;
use strict;
use Apache::Constants qw(:common);
use FES::Apache::TicketTool ();
sub handler {
my $r = shift;
my %input = $r->args; # for checking input items
my $ticketTool = FES::Apache::TicketTool->new($r);
my($result, $msg) = $ticketTool->verify_ticket($r);
unless ($result) {
$r->log_reason($msg, $r->filename);
my $cookie = $ticketTool->make_return_address($r);
$r->err_headers_out->add('Set-Cookie' => $cookie);
return FORBIDDEN;
}
## Here is where we need to insert a push_handler insert. I won't need
## the requested uri from the $r, since the $r goes along for the ride
in ## push_handler
my $action = defined $input{'act'} ? $input{'act'} : 'view';
print STDERR "action is defined as $action\n"; ## DEBUGGING
if ($action eq 'logout') {
$r->push_handlers('PerlHandler' => 'FES::Control::Logout');
return OK;
} elsif ($action eq 'view') {
$r->push_handlers('PerlHandler' => 'FES::Control::View');
return OK;
} else {
$r->push_handlers('PerlHandler' => 'FES::Control::View');
return OK;
}
## ARE THOSE THE CORRECT THINGS TO 'RETURN' FOR THESE CASES?
}
1;
==============================================================
And the Logout.pm:
=============================================================
package FES::Control::Logout;
use strict;
use Apache;
use Apache::Constants qw(:common);
use FES::Common::Common qw( header footer);
use CGI qw/:standard/;
use CGI::Cookie;
sub handler {
my $r = shift;
my $q = new CGI;
my $ticket = _get_ticket('r' => $r);
## HERE IS WHERE I NEED TO 1.) DELETE USER'S TICKET COOKIE AND
## 2.) REDIRECT THEM TO "/FES" (w/o bringing old
$r),(WHERE THEY SHOULD GET
## A NEW LOGIN SCREEN BECAUSE COOKIE IS
GONE.)
}
sub _get_ticket {
my $args = {
'r' => undef,
@_
};
my $r = $args->{'r'};
my %cookies = CGI::Cookie->parse($r->header_in('Cookie'));
# TESTING
my %ticket = $cookies{'Ticket'}->value; # TESTING
return \%ticket;
}
1;
=====================================================
===
To: Jon Robison <jon.robison@uniphied.com>
From: Mohit Agarwal <mohit@foc.demonhosting.co.uk>
Subject: Re: Deleting a cookie
Date: Tue, 27 Nov 2001 14:38:22 +0000 (GMT)
On Tue, 27 Nov 2001, Jon Robison wrote:
> My only problem is that I want to provide the users with a logout
> button which will delete the cookie from thier browser, yet I cannot
> find how!. I have reviewed every module on my system with 'Cookie'
> in the name (Apache::Cookie, CGI::Cookie, etc.) and nowhere does it
> tell how to do this. There is a small mention of changing the
> expiration to < 0, but apparently I am doing it wrong (possible
> confusing point is the use of an 'expires' value in the cookie
> itself, seperate, I think, from the 'expires' attribute on the
> cookie?)
Never tried the negative value for expiration time, but setting it to
a very small value, say 1s, works. I'm not sure, but setting the
cookie value to null should also have the same effect.
===
To: "modperl@apache.org" <modperl@apache.org>
From: Mithun Bhattacharya <mithun.b@egurucool.com>
Subject: Re: Deleting a cookie
Date: Tue, 27 Nov 2001 19:54:10 +0530
Mohit Agarwal wrote:
>
> Never tried the negative value for expiration time, but setting it to
> a very small value, say 1s, works. I'm not sure, but setting the
> cookie value to null should also have the same effect.
I believe setting the expiry date less than the current time should
work.
===
To: Jon Robison <jon.robison@uniphied.com>
From: Nick Tonkin <nick@rlnt.net>
Subject: Re: Deleting a cookie
Date: Tue, 27 Nov 2001 08:15:51 -0800 (PST)
Expiring the cookie works well for me. Here's what I have:
sub handler {
[ ... ]
if ($r->uri =~ /logout/) {
if (my $cookie = destroy_cookie($r)) {
return logout_screen($r);
} else {
return 500;
}
}
[ ... ]
}
sub destroy_cookie {
my $r = shift;
# you may or may not be using this
my $auth_domain = $r->dir_config('Auth_Domain');
my $cookie = Apache::Cookie->new(
$r,
expires => "-24h",
domain => $auth_domain,
name => 'auth', # whatever you've called it
path => '/',
value => ''
);
$cookie->bake;
return $cookie;
}
sub logout_screen {
[ ... ]
}
1;
===
To: Jon Robison <jon.robison@uniphied.com>
From: Mark Maunder <mark@swiftcamel.com>
Subject: Re: Deleting a cookie
Date: Tue, 27 Nov 2001 20:55:38 +0000
Jon Robison wrote:
> I have created a login system using the wonderful Ticket system from the
> Eagle book. I have modified TicketAccess so that after authentication,
> it reviews the arguments in the query string and does push_handler, the
> handler being chosen based on the args.
>
> My only problem is that I want to provide the users with a logout button
> which will delete the cookie from thier browser, yet I cannot find how!.
Jon,
I had the same problem and could not succesfully delete the
cookie from all browsers (IE, Netscape, Konqueror, Lynx,
Opera etc.). I eventually solved it by keeping the existing
(session) cookie which was assigned when the user first
logged in, but marking the user as logged out on the server
side. i.e. associate a user cookie with session data stored
in a database, and instead of deleting the cookie on the
client side, just set something on the server side session
information that marks the user as having logged out. If the
user then logs in again, just reuse the same cookie and mark
the user as having logged in. This way you only have to
assign an authentication cookie once per browser session.
This may be tough to drop into TicketTool because IIRC it
stores the authentication info in the cookie itself, rather
than a server side session it associates with a cookie. Not
very helpful, but it's another approach. I'd like to hear if
you get it working across various browsers by expiring the
cookie - for future ref.
~mark
===