[pubcookie-users] Application-controlled authorization

[Nathan Dors]

The pubcookie interface is mostly a declarative one managed 
at the module/filter level. But mod_pubcookie also supports what's 
sometimes called "lazy sessions" via its on-demand functionality:

http://www.pubcookie.org/docs/mod_pubcookie-directives.html#PubcookieOnDemand

This feature is still configured declaratively, but applications 
control the timing of things (the so-called lazy aspect of it) by 
setting a specific cookie. It's not quite the API-like interface 
that you seem to be interested in, but it's maybe worth a look.

-Nathan


On Fri, 15 Apr 2005, Ian Bicking wrote:

> One thing I'd like to be able to do is control from my applications when 
> login is requird, but I'm not sure if I can do that with pubcookie.  For 
> instance, lets say I configure this:
>
>
> PubcookieAuthTypeNames EGNetID # and all the other stuff
>
> <Location "/myapp/">
>  AuthType EGNetID
>  PubcookieAppID myapp
> </Location>
>
> Then I send a response like:
>
> Status: 401 Unauthorized
> WWW-Authenticate: EGNetID realm="myapp"
>
> I was hoping that mod_pubcookie would see that and redirect the user to the 
> appropriate page.  But no such luck.  Is anything like this possible?  I'd 
> like to be able to control restrictions without reconfiguring Apache, and 
> inside applications where I can't add .htaccess files.
>
> Or, if I just have to create a full response with a redirect to the login 
> server, that's okay too, but I'm not sure what's all involved with that 
> (there's some big cookies in there).  It's also not clear why it doesn't give 
> a redirect... browser bugs with setting cookies on redirect?  Or use a 
> Javascript redirect, which seems like a better experience when possible.
>
> -- 
> Ian Bicking  /  ianb at colorstudy.com  /  http://blog.ianbicking.org
> _______________________________________________
> pubcookie-users mailing list
> pubcookie-users at u.washington.edu
> http://mailman1.u.washington.edu/mailman/listinfo/pubcookie-users
>