[Catalyst] New Auth/Session Stuff

Yuval Kogman nothingmuch at woobling.org
Wed Nov 30 15:20:12 CET 2005


On Wed, Nov 30, 2005 at 08:55:03 -0500, Christopher H. Laco wrote:
> Everything Just Worked. Bravo to everyone involved. I spent more time
> installing PREREQS than I did getting login/logout auth+session into my
> Catalyst app. That's a very very good thing.

Woot!

> Now, on to the questions! :-)
> 
> First, after I call $c->login(id, pass), I have a user hash object and
> on further requests, it comes from the session.
> 
> Just out of curiosity under TT, [% c.user.id %] returns nothing but
> [% c.user.password %] returns the password. Is this a bug?

User::Hash has no ID unless you put it in.

Look at the live_app_session.t test in C::P::Authentication - this
is a hack to make User::Hash *use* ids by force.

This is because User::Hash's role is to actually provide a framework
for potentially store-less authentication (e.g. TypeKey) to build
on.

The reason it works this way with Store::Minimal is because that's
obviously for testing and quickstarting. I can make it "safer" but I
see no gain. With real stores the session contains a pointer to the
user instead of the user itself, and things are more complicated but
also safer.

> Second, is there any reason why the password needs to be stored in the
> session information? That seems like a dangerous and unnecessary thing
> by default. If one needs the password, the should be able to get it from
> get_user instead. I would think it's somewhat safer to rely on the Store
> for passwords, and not have them floating around the session stores,
> Maybe that depends on the store.

The session is safe - session data never gets into the client. At
least arguably that's what should happen.

Again, this is just for User::Hash. See 'sub for_session' in that
class - it just returns '$self'. Most user classes would return
'$self->id'.

User::Htpasswd, for example, stores

	__user_store => "store_name", # probably "default"
	__user => "name",

and lazily does get_user when you call $c->user.


-- 
 ()  Yuval Kogman <nothingmuch at woobling.org> 0xEBD27418  perl hacker &
 /\  kung foo master: /me does not drink tibetian laxative tea: neeyah!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.rawmode.org/pipermail/catalyst/attachments/20051130/bf971ae8/attachment.pgp


More information about the Catalyst mailing list