[cgiapp] Security, Authentication and Authorization for CGI::App

Michael Peters mpeters at plusthree.com
Fri Mar 5 12:48:32 EST 2010


On 03/05/2010 12:11 PM, Mark Rajcok wrote:

> With this approach, how to you handle user authorization changes, say by an
> administrator?
> In other words, how to you handle invalidating the auth cookie?  Wouldn't a
> database lookup be required to ensure the auth cookie's info is still
> valid/current?

If you need auth changes to be immediately reflected then yes you'll 
need to check on every request. For the most part though, this isn't 
required. If it's immediate if they aren't logged in, but if they are it 
takes a few minutes, then that's ok for most uses.

> (I started down this road, but when I implemented my admin pages and started
> testing, I found that newly unauthorized users still had access because of
> the (old) auth cookie data.  I couldn't figure out a way around this,
> without hitting the database to check the auth cookie, at which point I
> didn't see the value of the auth cookie anymore.)

I still like to keep them separated since they are logically different, 
but I'm not a zealot on that point.

-- 
Michael Peters
Plus Three, LP


More information about the cgiapp mailing list