[Catalyst] Another Auth/Session gotcha

Nigel Metheringham nigel.metheringham at dev.intechnology.co.uk
Tue Dec 20 12:25:21 CET 2005


Here is something I have spent *far* too long bashing my head against a
wall about, only to find its a really trivial fix...

If you are using authentication along with sessions, you *must* call
c->session before the auth related stuff to make sure your session is
set up appropriately, even though the session handling of auth data is
all apparently handled automagically.

This means, for example, if you want everyone to authenticate before
using the app you need something like this global auto method:-
        sub auto : Private {
            my ($self, $c) = @_;
        
            # Don't force login on static content
            return 1 if ($c->req->{path} =~ /^(login|images|css)$/);
        
            # needed to force session establishment
            my $session = $c->session;
        
            unless ($c->user) {
                $c->req->action(undef);
                $c->res->redirect($c->req->base . 'login');
            }
            else {
                $c->log->debug('User is valid: ', $c->user);
            }
            return 1;
        }

If you do not have the call to $c->session then sessionid is never set
up, and the auth data is never pulled back, so $c->user is not filled
in...  BTW $c->sessionid is not sufficient... you must call $c->session.

I'm wondering if the session setup code has insufficient magic - or
maybe should do more magic by default (but be overridable by wizards
etc).

	Nigel.
-- 
[ Nigel Metheringham           Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]





More information about the Catalyst mailing list