This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: modperl@apache.org From: Jon Robison <jon.robison@uniphied.com> Subject: Deleting a cookie Date: Tue, 27 Nov 2001 08:21:48 -0500 I have created a login system using the wonderful Ticket system from the Eagle book. I have modified TicketAccess so that after authentication, it reviews the arguments in the query string and does push_handler, the handler being chosen based on the args. My only problem is that I want to provide the users with a logout button which will delete the cookie from thier browser, yet I cannot find how!. I have reviewed every module on my system with 'Cookie' in the name (Apache::Cookie, CGI::Cookie, etc.) and nowhere does it tell how to do this. There is a small mention of changing the expiration to < 0, but apparently I am doing it wrong (possible confusing point is the use of an 'expires' value in the cookie itself, seperate, I think, from the 'expires' attribute on the cookie?) I know it is a lot to ask, but I am relatively new to this part of mod_perl (pushing handlers, etc.), so if anyone can look at this and replace my BLOCKED comments with a couple of helpfull lines, I would greatly appreciate it! Thanks in advance - Jonathon Robison Below is my modified TicketAccess, as well as the Logout module I am re-directing to for logout action: ========================================================= package FES::Apache::TicketAccess; use strict; use Apache::Constants qw(:common); use FES::Apache::TicketTool (); sub handler { my $r = shift; my %input = $r->args; # for checking input items my $ticketTool = FES::Apache::TicketTool->new($r); my($result, $msg) = $ticketTool->verify_ticket($r); unless ($result) { $r->log_reason($msg, $r->filename); my $cookie = $ticketTool->make_return_address($r); $r->err_headers_out->add('Set-Cookie' => $cookie); return FORBIDDEN; } ## Here is where we need to insert a push_handler insert. I won't need ## the requested uri from the $r, since the $r goes along for the ride in ## push_handler my $action = defined $input{'act'} ? $input{'act'} : 'view'; print STDERR "action is defined as $action\n"; ## DEBUGGING if ($action eq 'logout') { $r->push_handlers('PerlHandler' => 'FES::Control::Logout'); return OK; } elsif ($action eq 'view') { $r->push_handlers('PerlHandler' => 'FES::Control::View'); return OK; } else { $r->push_handlers('PerlHandler' => 'FES::Control::View'); return OK; } ## ARE THOSE THE CORRECT THINGS TO 'RETURN' FOR THESE CASES? } 1; ============================================================== And the Logout.pm: ============================================================= package FES::Control::Logout; use strict; use Apache; use Apache::Constants qw(:common); use FES::Common::Common qw( header footer); use CGI qw/:standard/; use CGI::Cookie; sub handler { my $r = shift; my $q = new CGI; my $ticket = _get_ticket('r' => $r); ## HERE IS WHERE I NEED TO 1.) DELETE USER'S TICKET COOKIE AND ## 2.) REDIRECT THEM TO "/FES" (w/o bringing old $r),(WHERE THEY SHOULD GET ## A NEW LOGIN SCREEN BECAUSE COOKIE IS GONE.) } sub _get_ticket { my $args = { 'r' => undef, @_ }; my $r = $args->{'r'}; my %cookies = CGI::Cookie->parse($r->header_in('Cookie')); # TESTING my %ticket = $cookies{'Ticket'}->value; # TESTING return \%ticket; } 1; ===================================================== === To: Jon Robison <jon.robison@uniphied.com> From: Mohit Agarwal <mohit@foc.demonhosting.co.uk> Subject: Re: Deleting a cookie Date: Tue, 27 Nov 2001 14:38:22 +0000 (GMT) On Tue, 27 Nov 2001, Jon Robison wrote: > My only problem is that I want to provide the users with a logout > button which will delete the cookie from thier browser, yet I cannot > find how!. I have reviewed every module on my system with 'Cookie' > in the name (Apache::Cookie, CGI::Cookie, etc.) and nowhere does it > tell how to do this. There is a small mention of changing the > expiration to < 0, but apparently I am doing it wrong (possible > confusing point is the use of an 'expires' value in the cookie > itself, seperate, I think, from the 'expires' attribute on the > cookie?) Never tried the negative value for expiration time, but setting it to a very small value, say 1s, works. I'm not sure, but setting the cookie value to null should also have the same effect. === To: "modperl@apache.org" <modperl@apache.org> From: Mithun Bhattacharya <mithun.b@egurucool.com> Subject: Re: Deleting a cookie Date: Tue, 27 Nov 2001 19:54:10 +0530 Mohit Agarwal wrote: > > Never tried the negative value for expiration time, but setting it to > a very small value, say 1s, works. I'm not sure, but setting the > cookie value to null should also have the same effect. I believe setting the expiry date less than the current time should work. === To: Jon Robison <jon.robison@uniphied.com> From: Nick Tonkin <nick@rlnt.net> Subject: Re: Deleting a cookie Date: Tue, 27 Nov 2001 08:15:51 -0800 (PST) Expiring the cookie works well for me. Here's what I have: sub handler { [ ... ] if ($r->uri =~ /logout/) { if (my $cookie = destroy_cookie($r)) { return logout_screen($r); } else { return 500; } } [ ... ] } sub destroy_cookie { my $r = shift; # you may or may not be using this my $auth_domain = $r->dir_config('Auth_Domain'); my $cookie = Apache::Cookie->new( $r, expires => "-24h", domain => $auth_domain, name => 'auth', # whatever you've called it path => '/', value => '' ); $cookie->bake; return $cookie; } sub logout_screen { [ ... ] } 1; === To: Jon Robison <jon.robison@uniphied.com> From: Mark Maunder <mark@swiftcamel.com> Subject: Re: Deleting a cookie Date: Tue, 27 Nov 2001 20:55:38 +0000 Jon Robison wrote: > I have created a login system using the wonderful Ticket system from the > Eagle book. I have modified TicketAccess so that after authentication, > it reviews the arguments in the query string and does push_handler, the > handler being chosen based on the args. > > My only problem is that I want to provide the users with a logout button > which will delete the cookie from thier browser, yet I cannot find how!. Jon, I had the same problem and could not succesfully delete the cookie from all browsers (IE, Netscape, Konqueror, Lynx, Opera etc.). I eventually solved it by keeping the existing (session) cookie which was assigned when the user first logged in, but marking the user as logged out on the server side. i.e. associate a user cookie with session data stored in a database, and instead of deleting the cookie on the client side, just set something on the server side session information that marks the user as having logged out. If the user then logs in again, just reuse the same cookie and mark the user as having logged in. This way you only have to assign an authentication cookie once per browser session. This may be tough to drop into TicketTool because IIRC it stores the authentication info in the cookie itself, rather than a server side session it associates with a cookie. Not very helpful, but it's another approach. I'd like to hear if you get it working across various browsers by expiring the cookie - for future ref. ~mark ===