[Catalyst] New Auth/Session Stuff

Yuval Kogman nothingmuch at woobling.org
Wed Nov 30 16:42:26 CET 2005 

On Wed, Nov 30, 2005 at 10:27:38 -0500, Christopher H. Laco wrote:
> Yuval Kogman wrote:
> > On Wed, Nov 30, 2005 at 08:55:03 -0500, Christopher H. Laco wrote:
> >> Everything Just Worked. Bravo to everyone involved. I spent more time
> >> installing PREREQS than I did getting login/logout auth+session into my
> >> Catalyst app. That's a very very good thing.
> > 
> > Woot!
> > 
> >> Now, on to the questions! :-)
> >>
> >> First, after I call $c->login(id, pass), I have a user hash object and
> >> on further requests, it comes from the session.
> >>
> >> Just out of curiosity under TT, [% c.user.id %] returns nothing but
> >> [% c.user.password %] returns the password. Is this a bug?
> > 
> > User::Hash has no ID unless you put it in.
> 
> Hmmmm..it supposedly has an id method I thought?
> http://search.cpan.org/~nuffin/Catalyst-Plugin-Authentication-0.02/lib/Catalyst/Plugin/Authentication/User/Hash.pm#METHODS

That's just a short circuit to avoid

	sub id { die "virtual" }

in the base class...

It works just like the AUTOLOAD - you need to actually put the data
inside the user obj:

	__PACKAGE__->config->{authentication}{users} = {
		foo => {
			id => "foo",
			xxx
		},
	}

Then $foo->id will return.

However, for this to be actually levereged and for the store to be
requeried, 'for_session' needs to be an alias method for ->id, and
'store' should be set to __PACKAGE__->default_auth_store.

Again, see t/live_app_session.t in the main Auth dist.

If you like, we can change this:

	Store::Minimal will set ->store and ->id for all objects which
	don't have them set

	User::Hash will return ->id from for_session if an ID is set

Then we will have User::Hash using the store by default.

If you want it, and no one objects by the time you say you want it,
i'll do it.

Let's discuss this on IRC ;-)

> Semi safe. Someone just needs to hijack the session cookie value for
> simple States...for more complicated ones, I'm there there is some
> hashing/salting and/or browser string/ip matching to make that hijacking
> harder.

Right, but no one should really use ::Minimal on a production
system, and even more so, no one should ever  print c.user.password
in a template =)

-- 
 ()  Yuval Kogman <nothingmuch at woobling.org> 0xEBD27418  perl hacker &
 /\  kung foo master: /me sushi-spin-kicks : neeyah!!!!!!!!!!!!!!!!!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.rawmode.org/pipermail/catalyst/attachments/20051130/5f1b330e/attachment.pgp

More information about the Catalyst mailing list