[pubcookie-users] Application-controlled authorization

Ian Bicking ianb at colorstudy.com
Tue Apr 19 10:53:19 PDT 2005 

Nathan Dors wrote:
> The pubcookie interface is mostly a declarative one managed at the 
> module/filter level. But mod_pubcookie also supports what's sometimes 
> called "lazy sessions" via its on-demand functionality:
> 
> http://www.pubcookie.org/docs/mod_pubcookie-directives.html#PubcookieOnDemand 
> 
> 
> This feature is still configured declaratively, but applications control 
> the timing of things (the so-called lazy aspect of it) by setting a 
> specific cookie. It's not quite the API-like interface that you seem to 
> be interested in, but it's maybe worth a look.

I'm thinking it makes more sense, when I want to force login, to 
redirect the user to a known location that requires login.  E.g., I 
redirect them to /login-required/redirect?url=original_location -- and 
then that is set to require login, and once they've logged in they get 
redirected back (redirected twice, actually).  That's not quite as 
elegent as a 401 response, but it doesn't require the applications to 
know much about the login process, and it doesn't require me to 
reconfigure Apache when deploying an application that requires selective 
authentication.

I must admit, I get a little worried I'm going down the wrong path with 
Pubcookie.  Maybe you can discourage or reassure me.  My primary goal is 
to unify the login process for a variety of systems running under one 
Apache server.  We have lots of different login systems for each 
environment (static files with Apache authentication, Zope, PHP, etc). 
We could use only Apache authentication, but HTTP Basic authentication 
is such a horrible user experience that we can't commit to that.  So 
Pubcookie offers a good experience there, and the forking validator is 
very useful to us, but there's a couple other systems to do the same 
thing in Apache (though often poorly implemented -- I sometimes feel 
like this is something kind of novel, even though it seems like a very 
common requirement).

Pubcookie's other features will probably be useful, even if we aren't 
dealing with them now -- things like multiple server logins -- but I'm 
starting to feel worried about all the complexity and things I don't 
understand (like keyserver and logouts, and now I'm noticing that I get 
weird redirects when I'm not using https).  Is my kind of usage scenario 
reasonable with pubcookie?  I think *I* can get it to work, but I'm not 
sure if the result will be maintainable for other people in my company, 
or something I should encourage other people to use.  This is as much a 
question about the future of pubcookie as its current state, so if you 
have any thoughts...

(huh, and then I just came upon CoSign, which seem almost exactly the 
same as Pubcookie but with slightly less features...)

-- 
Ian Bicking  /  ianb at colorstudy.com  /  http://blog.ianbicking.org

More information about the pubcookie-users mailing list