[Catalyst] New Auth/Session Stuff

Christopher H. Laco claco at chrislaco.com
Wed Nov 30 16:50:26 CET 2005


Yuval Kogman wrote:
> On Wed, Nov 30, 2005 at 10:27:38 -0500, Christopher H. Laco wrote:
>> Yuval Kogman wrote:
>>> On Wed, Nov 30, 2005 at 08:55:03 -0500, Christopher H. Laco wrote:
>>>> Everything Just Worked. Bravo to everyone involved. I spent more time
>>>> installing PREREQS than I did getting login/logout auth+session into my
>>>> Catalyst app. That's a very very good thing.
>>> Woot!
>>>
>>>> Now, on to the questions! :-)
>>>>
>>>> First, after I call $c->login(id, pass), I have a user hash object and
>>>> on further requests, it comes from the session.
>>>>
>>>> Just out of curiosity under TT, [% c.user.id %] returns nothing but
>>>> [% c.user.password %] returns the password. Is this a bug?
>>> User::Hash has no ID unless you put it in.
>> Hmmmm..it supposedly has an id method I thought?
>> http://search.cpan.org/~nuffin/Catalyst-Plugin-Authentication-0.02/lib/Catalyst/Plugin/Authentication/User/Hash.pm#METHODS
> 
> That's just a short circuit to avoid
> 
> 	sub id { die "virtual" }
> 
> in the base class...
> 
> It works just like the AUTOLOAD - you need to actually put the data
> inside the user obj:
> 
> 	__PACKAGE__->config->{authentication}{users} = {
> 		foo => {
> 			id => "foo",
> 			xxx
> 		},
> 	}
> 
> Then $foo->id will return.

Ah. My misunderstanding. I just assumed that the id would be the user
name itself, since they both really have to be unique.

> 
> However, for this to be actually levereged and for the store to be
> requeried, 'for_session' needs to be an alias method for ->id, and
> 'store' should be set to __PACKAGE__->default_auth_store.
> 
> Again, see t/live_app_session.t in the main Auth dist.
> 
> If you like, we can change this:
> 
> 	Store::Minimal will set ->store and ->id for all objects which
> 	don't have them set
> 
> 	User::Hash will return ->id from for_session if an ID is set
> 
> Then we will have User::Hash using the store by default.
> 
> If you want it, and no one objects by the time you say you want it,
> i'll do it.
> 
> Let's discuss this on IRC ;-)

Indeed. Of course, by the time I get there this evening, I'll be well
sloshed. :-)

> 
>> Semi safe. Someone just needs to hijack the session cookie value for
>> simple States...for more complicated ones, I'm there there is some
>> hashing/salting and/or browser string/ip matching to make that hijacking
>> harder.
> 
> Right, but no one should really use ::Minimal on a production
> system, and even more so, no one should ever  print c.user.password
> in a template =)
> 

Hmmm. There's nothing really wrong with Minimal per se. It's working out
great for a small, one person app where only one user/password makes
anything more than that overkill. It's really the security of the
Session::State::Cookie that would be in question.

-=Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.rawmode.org/pipermail/catalyst/attachments/20051130/563f585d/smime.bin


More information about the Catalyst mailing list