This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: modperl@apache.org
From: Neil Conway <nconway@klamath.dyndns.org>
Subject: silly CGI::Cookie bug/frustrations
Date: 07 Jan 2002 06:59:59 -0500
Hi all,
I've spent the last couple hours trying to debug a seemingly simple
piece of code. I've come up with something that seems puzzling (but it's
probably just too early in the morning for me) -- any clarification
would be appreciated.
The code I'm writing is a cookie-based authentication scheme, inspired
by Apache::TicketAccess from the Eagle book (thanks Doug & Lincoln!).
I'm sending the client the ticket cookie like so:
use constant TICKET_NAME => 'AdminTicket';
# ... lots of code
my $ticket = CGI::Cookie->new(-name => TICKET_NAME,
-path => '/'
# more stuff
);
$r->header_out('Set-Cookie' => $ticket);
Now, this seems to work fine. The browser is sent a cookie, and sends it
back to the server when it requests a page that requires authentication.
However, I can't seem to verify the cookie properly. Here's my
verification code:
sub verify_ticket {
my $self = shift;
my $r = $self->{_req};
print STDERR "Cookie: " . $r->header_in('Cookie') . "\n"; #DEBUG
my %cookies = CGI::Cookie->parse($r->header_in('Cookie'));
return (0, 'user has no cookies') unless %cookies;
#DEBUG
my $cookie_name;
foreach (keys %cookies) {
print STDERR "Cookie: [$_] -> [$cookies{$_}]\n";
print STDERR "Cookie name: [$_] ; Expected: [" . TICKET_NAME .
"]\n";
print STDERR "The cookies match.\n" if $_ eq TICKET_NAME;
$cookie_name = $_; # HACK: remember a valid hash key
}
# this does NOT work
#return (0, 'user has no ticket') unless $cookies{TICKET_NAME};
# this works, strangely
return (0, 'user has no ticket') unless $cookies{$cookie_name};
# lots more code
}
(As you can tell, I've been banging my head against the wall for a
while, inserting print statements ;-) ).
I get the following log output:
Cookie:
AdminTicket=ip&127.0.0.1&expires&15&hash&f6o%2BtYJ2AFm1aBy3plFrOigo1yg&user&nconway&time&1010403781
Cookie: [AdminTicket] ->
[AdminTicket=ip&127.0.0.1&expires&15&hash&f6o%2BtYJ2AFm1aBy3plFrOigo1yg&user&nconway&time&1010403781; path=/]
Cookie name: [AdminTicket] ; Expected: [AdminTicket]
The cookies match.
Now, this is as I expected it. However, the commented out code such as:
return (0, 'user has no ticket') unless $cookies{TICKET_NAME};
Doesn't work -- it seems to think that there is no such hash element as
TICKET_NAME.
Since there is only 1 cookie, I used the ugly hack above and iterated
through the keys of the hash and used the only actual hash element. The
weird that is that the value I get from this is 'eq' to TICKET_NAME --
yet, it works, but TICKET_NAME does not. IIRC, if I replace the
instances of TICKET_NAME with its literal value ('AdminTicket'), it also
does not work.
Would someone be kind enough to point out what I've missed? Because I'm
stumped...
Thanks in advance,
Neil
===
To: Neil Conway <nconway@klamath.dyndns.org>
From: Chip Turner <cturner@redhat.com>
Subject: Re: silly CGI::Cookie bug/frustrations
Date: 07 Jan 2002 08:40:29 -0500
Here's a one-liner to show what's happening:
perl -le 'use constant FOO => "bar"; $a{bar} = 1; print "bar: ",
$a{bar}, " FOO: ", $a{FOO}, " +FOO: ", $a{+FOO}'
The "use constant" module does its magic via making a subroutine that
returns the appropriate value. So that means in the example above,
there is a sub in the main:: module called FOO() that always returns
the constant string "bar". You can also see this happen below:
perl -e '$a{time} = $a{+time} = 1; print "$_ => $a{$_}\n" foreach keys %a'
The trick in both places is to tell the aggressive Perl parser that
FOO and time are calls to a function, and not a literal string (like
$a{bar} is). The unary + does that, as would &FOO, FOO(), etc.
So your code will work if you make your return statement:
return (0, 'user has no ticket') unless $cookies{+TICKET_NAME};
Just Another Perl Oddity :)
===