httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tosh Cooey <>
Subject [users@httpd] htaccess using AuthCookieDBI not protecting the directory index
Date Mon, 14 Sep 2009 09:07:25 GMT
Hi, I posted the follow to the mod_perl list:

I'm trying to protect a directory using Apache2::AuthCookieDBI with the 
following .htaccess (I have to use htaccess)

PerlModule Apache2::AuthCookieDBI
PerlSetVar berlinPath /berlin/
PerlSetVar berlinLoginScript /

PerlSetVar berlinSessionTimeout +2h

PerlSetVar berlinDBI_DSN "DBI:mysql:database=berlin"
PerlSetVar berlinDBI_SecretKey "secret"

# DBI access stuff...
PerlSetVar berlinDBI_User "user"
... etc ...

# Protected by AuthCookieDBI.
  AuthType Apache2::AuthCookieDBI
  AuthName berlin
  PerlAuthenHandler Apache2::AuthCookieDBI->authenticate
  PerlAuthzHandler Apache2::AuthCookieDBI->authorize
  require valid-user

# Login location.
<Files LOGIN>
  AuthType Apache2::AuthCookieDBI
  AuthName berlin
  SetHandler perl-script
  PerlHandler Apache2::AuthCookieDBI->login

When I go to my protected URL I am presented 
with the login form which I've added some status variables to, the 
status is that there is no cookie present, which is to be expected since 
nothing has been set yet.  Once I send authentication variables I am 
still not logged in and I'm given a new URL which is still expected behaviour, but the 
  status variable is still "no cookie" which means no cookie is being 
set.  This makes me suspect that I am just dumb and doing something 
super-basic wrong, but I can't figure it out.

Vegard Vesterheim on the mod_perl list suggested the cause was "related 
to Apache issuing subrequests for directory requests. Check out this 
thread: "

If this is true then I have trouble believing that this issue hasn't 
been addressed at the module level (AuthCookieDBI) since protecting 
various directories seems pretty standard.

Anyway, my solution for now is to just protect the *.pl files <Files ~ 
"\.(pl)$"> and redirect the index to which is not elegant but 
works.  Is there a better way?



McIntosh Cooey - Twelve Hundred Group LLC -

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message