[Catalyst] Cookie + basic auth?

[Bill Moseley]

I'm looking for a little help working out the logic for dealing with cookies
and basic auth in the same request.

I use a cookie to hold a session ID.  The session is only created for users
that log in -- essentially the session ID stores the user object and is used
as an authentication token.  It also avoids the slightly expensive login
process for every request.  The session is also useful for tracking a series
of related requests.  Some state ends up in the session, but we are trying
to move away from that.

There's a /login method used to pass in credentials, and upon successful
"log in" is when then cookie gets set.

I'd like to make basic auth available as an authentication method for API
calls.  I'd still like to use cookies for authentication caching and to
provide session tracking.

My question is about the logic to make sure that any valid session id
provided via the cookie matches the session that was created with the basic
auth header.  Or in other words, what happens if the Authorization header
changes but the cookies session id does not change?


One option would be to place the Authorization header's value into the
session and if an Authorization header is provided in the request make sure
it matches the value in the session, and if not create a new session.

Another option would be to always require the Authorization header and
append that to the session ID.  That way if the Authorization header changed
the session lookup would fail.


What kind of logic would you implement in this situation?



-- =

Bill Moseley
moseley at hank.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110426/1d717=
ddf/attachment.htm