Skip Menu |

This queue is for tickets about the Apache-AuthCookie CPAN distribution.

Report information
The Basics
Id: 81475
Status: resolved
Priority: 0/
Queue: Apache-AuthCookie

People
Owner: Nobody in particular
Requestors: kas [...] fi.muni.cz
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 3.18
Fixed in: 3.19



Subject: HTTP_FORBIDDEN does not work with Symbian and other OSes as well
Apache2::AuthCookie returns the login form in a 403 FORBIDDEN response. It seems perfectly legal in my interpretation of RFC 2616, but it does not work with some browsers, namely Nokia phones with Symbian OS and some Windows 8 smartphones - they display their own "Forbidden" page and ignore the HTML in the response. So probably another status code should be used instead. After reading RFC 2616 I think 303 or 302 status codes should work.
Subject: Proposed patch
From: kas [...] fi.muni.cz
Here is the proposed patch for this problem - we can blacklist some user-agents and return 200 OK for them.
Subject: AuthCookie-403.patch
Author: Jan "Yenya" Kasprzak <kas@fi.muni.cz> 403 does not work with some browsers Some browsers are confused by the 403 Forbidden status code, with which Apache2::AuthCookie returns the login form - they display their own error pop-up to the user, and ignore the response body which they just received. This patch implements a possible hot-fix, to return 200 OK for selected User-Agent strings. diff --git a/perllib/Apache2/AuthCookie.pm b/perllib/Apache2/AuthCookie.pm index 4505a3f..498a720 100644 --- a/perllib/Apache2/AuthCookie.pm +++ b/perllib/Apache2/AuthCookie.pm @@ -7,6 +7,8 @@ BEGIN { use strict; +require 5.10.0; # for the defined-or operator + use Carp; use CGI '3.12'; use mod_perl2 '1.99022'; @@ -19,7 +21,8 @@ use Apache2::Access; use Apache2::Response; use Apache2::Util; use APR::Table; -use Apache2::Const qw(:common M_GET HTTP_FORBIDDEN HTTP_MOVED_TEMPORARILY); +use Apache2::Const qw(:common M_GET HTTP_FORBIDDEN HTTP_MOVED_TEMPORARILY + HTTP_OK); sub recognize_user { my ($self, $r) = @_; @@ -331,9 +334,23 @@ sub login_form { return SERVER_ERROR; } - $r->custom_response(HTTP_FORBIDDEN, $authen_script); + my $status = $self->login_form_status($r) // HTTP_FORBIDDEN; + + $r->custom_response($status, $authen_script); + + return $status; +} + +sub login_form_status { + my ($self, $r) = @_; + + my $user_agent = $r->headers_in()->get('User-Agent') + or return undef; + + return HTTP_OK + if $user_agent =~ qr!\AMozilla/5\.0 \(SymbianOS/!; - return HTTP_FORBIDDEN; + return undef; } sub satisfy_is_valid { @@ -896,6 +913,24 @@ specified with the C<PerlSetVar WhatEverLoginScript> configuration directive. You can overwrite this method to provide your own mechanism. +=item * login_form_status($self, $r) + +This method returns the custom HTTP status code with which should the +login form be returned. The default behavior (or when undef is returned +from this method) is to use HTTP_FORBIDDEN (403) status. +However, this confuses some browsers enough to require a different +status code for them. By default we return HTTP_OK for Symbian phones, +and undef for everything else. + +Supersede this method in a subclass to set your own return codes. +It is also possible to call ->SUPER::login_form_status($r) from +a subclass, to use whatever defined-values it returns, and to handle +only the cases where undef is returned from this method. + +Note that HTTP_FORBIDDEN should work for most browsers, and does not +lead the browser into a false assumption that it has successfully +obtained the page it has originally requested. + =item * logout() This is simply a convenience method that unsets the session key for
Thanks. I'll take a look at this over the weekend.
I fixed this in v3.19_01 (developer release), which I just uploaded to CPAN. Let me know if this version works for you. I made the fix 5.8 safe as there are lots of AuthCookie deployments still running on RHEL5 using 5.8.