[MKDoc-dev] Using cookie/ticket authentication rather than Basic Auth

Chris Croome chris at webarchitects.co.uk
Sat Sep 25 19:12:09 BST 2004 

Hi

On Sun 26-Sep-2004 at 12:42:06AM +1000, Charlie Garrison wrote:
> 
> I am looking for feedback on whether to add new functionality as part of MKDoc
> or create my own modules that subclass MKDoc.
> 
> I have a need to use cookie/ticket based authentication (due to systems used
> in related sites). So that MKDoc can integrate better with the related sites,
> I want to use our existing ticket based authentication. In this case I think
> it makes sense to create new modules, eg:
> 
> MKDoc::Auth::Handler::AuthenticateTkt
> MKDoc::Auth::Handler::AuthenticateOptTkt
> 
> And a new plugin:
> 
> MKDoc::Auth::Plugin::LoginTkt
> 
> I'm still looking into it so I don't have clear ideas yet on the best way to
> do what I want. The apache mod_auth_tkt module sets the user credentials and
> REMOTE_USER when a valid cookie/ticket is received. I did a quick test with
> mod_auth_tkt and MKDoc v1.6 and it seemed to work fine. That was using my
> external login scripts, and I want to make the login script (& related
> modules) part of MKDoc.

Sounds good to me, I went to look at the mod_auth_tkt web site but
it seems to be down at the moment: 

  http://www.openfusion.com.au/labs/mod_auth_tkt/

This is the wayback machines latest copy:

  http://web.archive.org/web/20040208123643/http://www.openfusion.com.au/labs/mod_auth_tkt/

It looks like a cool module, nice that it does this:

  4. Drop-in replacement for Basic Authentication: mod_auth_tkt sets
     the Basic Authentication REMOTE_USER environment variable on
     authorised requests, so that existing scripts that work with Basic
     Authentication should work unchanged in a mod_auth_tkt environment.

> So I just need to know whether I should make changes in the mkd source tree,
> or create my own modules as subclass of MKDoc. Any suggestions or opinions?

Bruno might have some thoughts about the naming of perl modules and
at some point if probably makes sense to look at reorganising all
the naming and in the meantime your suggestion seems fine to me :-)

I'd be happy for this code to be in MKDoc perhaps the way it could 
work is for there to be an option when a site is installed to
select cookie or httpd authentication (perhaps the default should
stay with http authentication)?

Or if mod_auth_tkt is installed and detected when the MKDoc site is
being installed then there could then be an option for cookie
authentication to be enabled? 

Perhaps it might even be possible to offer HTTP authentication to
clients when cookie authentication is the default but the client's
browser is rejecting cookies? But if it isn't then this doesn't
matter.

If there is a variable that we can access in the templates based on
which authentication method is being used they we can serve a login
form via the login template fragment when it's needed for cookie
authentication. 

> PS. I'm not making any comments on http authentication by choosing a
> cookie-based approach. Personally, I think the way MKDoc gets around the
> logout limitation of http auth is quite clever. It's just not what I need in
> this case.

No problem :-)

The HTTP authentication support in 1.8 is a lot nicer than in 1.6,
only one domain is needed, you can login, logout and also login as
another user and do all this without restarting your web browser,
also there is an article about this here if people want to know how
it works (though it might be a bit out of date):

  http://wiki.slugbug.org.uk/HTTP_Authentication

Some of the templates for the authentication need sorting out
though, by default the templates from the module on CPAN is used and
these don't match the new XHTML / CSS design. I'll look at fixing
this next week.

Another thing that would be good to have in the medium term is
support for HTTP digest authentication, there is this demo module
for doing it with apache 1.3 here:

  http://search.cpan.org/~geoff/Apache-AuthDigest-0.022/API/API.pm

But it seems that it would probably be better to wait for mod_perl 2
to become more stable, switch MKDoc to use apache 2.1 and then use
this module, it looks very cool:

  http://search.cpan.org/~geoff/Apache-AuthenHook-2.00_03/AuthenHook.pm

One for the TODO list I think!

Chris

-- 
Chris Croome                               <chris at webarchitects.co.uk>
web design                             http://www.webarchitects.co.uk/ 
web content management                               http://mkdoc.com/

More information about the MKDoc-dev mailing list