1Revision history for Apache::AuthCookie 2 33.30 2020-04-14 4 - Fix logic error for EnforceLocalDestination 5 - Add a bunch of tests to cover all scenarios of EnforceLocalDestination and 6 DefaultDestination 7 83.29 2020-03-22 9 - Add optional support for enforcing a local destination, like so: 10 11 PerlSetVar MyAuthEnforceLocalDestination 1 12 13 - Add optional support for specifying a default destination when the login 14 form's destination argument is unspecified or invalid (including 15 non-local if local destinations are enforced), like this: 16 17 PerlSetVar MyAuthDefaultDestination /protected/user/ 18 193.28 2019-11-19 20 - Add support for SameSite cookie property (can be strict/lax). 21 - Minor POD updates. 22 233.27 2017-07-28 24 - Fix POD spelling error [#118545]. 25 263.26 2016-09-30 27 - remove unused module Apache::AuthCookie::Autobox from dist 28 - remove CGI.pm dependency. CGI.pm has been removed from perl core, which 29 was the primary reason we used it in the first place. Replaced with 30 dependency on lighter weight set of three modules: 31 32 * HTTP::Body 33 * WWW::Form::UrlEncoded 34 * Hash::MultiValue 35 36 Also recommended (but not required) is WWW::Form::UrlEncoded::XS 37 - Add optional support for charset encoding. If you have something like 38 39 PerlSetVar MyAuthNameEncoding UTF-8 40 41 Then AuthCookie with now automatically decode parameters using the given 42 encoding now. AuthCookie params() data will be decoded automatically if 43 this is on. See details in AuthCookie module documentation. In addition 44 r->user will be encoded (using byte semantics) using this encoding. 45 46 ***** IMPORTANT ***** 47 If you turn this on, this could break your code. r->user() will now be 48 byte encoded using the given encoding. If you use usernames that contain 49 non-ascii characters you either need to use decoded_user(), or decode 50 r->user() yourself in your subclasses. 51 52 See the AuthCookie docs for more details. 53 - add optional support for decoding httpd.conf requires directives. This is 54 enabled with a RequiresEncoding setting: 55 56 PerlSetVar MyAuthNameRequiresEncoding UTF-8 57 58 Then decoded_requires($r) will return the decoded value of $r->requires 59 You only need this if you have non-ascii characters in your requires 60 directives such as: 61 62 Requires user programmør 63 64 - add decoded_user($r) method to get the value of r->user decoded using 65 character semantics instead of bytes. Due to the fact that r->user is a C 66 API method we cannot get character semantics on r->user directly. If no 67 Encoding directive is in effect, then this is the same as r->user. 68 - add encoding($r): string which returns the value of the Encoding directive 69 that is in effect for the current request. 70 713.25 2016-08-30 72 - 2.4: fix POD typo and add missing ABSTRACT 73 - reorganize real.t tests into subtests 74 - make sure signature test ignores generated files 75 - remove autobox dependency 76 - fix authenticate so that r->user is copied from r->main on subrequests. 77 Previously this was only done for internal redirects (r->prev is defined). 78 This fixes DirectoryIndexes on AuthCookie enabled directories under apache 79 2.4. 80 813.24 2016-01-13 82 - Update Apache 2.4 README, flesh out guts of Authz Provider notes. 83 - Improve Apache 2.4 README's AuthzProvider documentation 84 - Add POD to Apache2_4::AuthCookie 85 - Add FAQ to Apache2_4::AuthCookie documenation 86 - 2.4: document that PerlAddAuthzProvider is only needed for *custom* Requires directives. 87 - 2.4: make authz_handler recognize multiple usernames in the directive like 88 mod_authz_user does. 89 - add test case for internal authz_handler 90 - explicitly require Apache::Test 1.39 so that APACHE2_4 defines are set 91 923.23 2015-09-10 93 - Improve CGI mode param() handling to avoi CGI.pm's "param() called in list context" warning. 94 - add support for Apache 2.4 via mod_perl 1.09. 95 ***** IMPORTANT ***** 96 Apache 2.4 has a *VERY* different API for authentication. You will need 97 to port your subclass and configuration over to the Apache 2.4 API in 98 order to use Apache 2.4! Please be sure to read README.apache-2.4.pod for 99 porting instructions! 100 1013.22 2014-05-07 102 1033.21 2014-05-07 104 - Bad release - deleted 105 1063.20 2013-12-09 107 - login_form: return OK for mobile IE 10, which also ignores content for 108 FORBIDDEN response. 109 - test .pl registry scripts: do not try to load mod_perl.pm 110 - escape html tags in destination. 111 - fix abstract in FAQ pod. 112 1133.19 2012-12-28 114 - split out CGI data handling into ::AuthCookie::Params modules 115 - use Apache::Request/Apache2::Request from libapreq if available. Otherwise, 116 fall back to CGI.pm for handling CGI data. 117 - improve "removed cookie" debug log message 118 - add dependencies: autobox, Class::Load 119 - allow username to be '0' 120 - login_form: return OK for SymbianOS, which ignores content for FORBIDDEN responses. 121 - add login_form_status() to override HTTP status returned by login form 122 - recognize_user: return DECLINED if user is not recognized 123 1243.18 2011-01-24 125 - remove 3.17's test skip hacks, and bump Apache::Test prerequisite to v1.35 126 which fixes this issue. 127 - fix MANIFEST.SKIP to ignore generated t/conf/mime.types 128 - remove dist.ini, weaver.ini from dists 129 - fixed t/real.t to use correct -withtestmore import syntax 130 - rename sample authcookie handlers to Sample::Apache and Sample::Apache2 131 namespaces 132 1333.17 2011-01-19 134 - skip the test suite if running as root. Apache::Test 1.34 fails the test 135 suite if running as root instead of skipping it. By skipping, AuthCookie 136 can be installed via CPAN.pm as root. 137 1383.16 2011-01-19 139 - require Apache::Test 1.32 - fixes ubuntu build issue 140 - remove mod_perl/mod_perl2 related prereq's from META.yml. The correct mod 141 perl version is not known until Makefile.PL is run. CPAN.pm should not 142 try to install either one until it is known which one is appropriate. 143 (RT 64926) 144 1453.15 2010-08-27 146 - enable Dist::Zilla Manifest plugin 147 - add FAQ 148 - add FAQ entry on how to protect an entire site/document root 149 - recognize_user: return DECLINED if user is already set 150 - refactor P3P header generation into send_p3p($r) so subclasses can overload it 151 1523.14 2010-04-12 153 - MP2: doc updates: remove beta warnings, change Apache::AuthCookie to 154 Apache2::Authcookie where appopriate. 155 - docs: change my email to my cpan address 156 - docs: remove POST limitations reference (handled by POST to GET conversion) 157 - sign dist with Module::Signature 158 - add signature test 159 - MP1: perltidy Apache::AuthCookie sources. 160 - update mod_perl2 prereq version (still 2.0.0 RC5, but version number was 161 incorrect in Makefile.PL) 162 - use Dist::Zilla for building the dist 163 1643.13 2010-04-12 165 - removed: bad dist 166 167Version: 3.12 168 - Makefile.PL If no mod_perl version is found, just require mod_perl2. 169 This makes sure that CPAN testers will get the right dependencies. 170 way. Also set up PREREQ_PM properly for mod_perl version 1. 171 172Version: 3.11 173 - Fix tiny pod doc error. 174 - Escape CR and LF in 'destination' field to prevent possible XSS attack 175 [Steffen Schwigon] 176 177Version: 3.10 178 - Bug Fix: when copying user from prev request, check that $r->prev 179 is defined, not just that $r->is_initial_request is true. 180 181Version: 3.09 182 - POD doc fixes. 183 - MP2: remove _check_request_req() - this was only necessary when 184 running under both MP1 and MP2. Package name change eliminates the 185 need for this. 186 - test suite converted to Test::More style test suites. 187 - descriptive test descriptions added 188 - make login() stash credentials in $r->pnotes("${AuthName}Creds") so 189 that the login form can access the user-supplied credentials if the 190 login fails. 191 - bug fix: use of Apache2::URI::unescape_url() does not handle 192 '+' to ' ' conversion. This caused problems for credentials 193 that contain spaces. 194 - MP2: remove mod_perl features from "use mod_perl2" line. This is 195 no longer supported by mod_perl2. 196 - MP2: _get_form_data() - switch to CGI.pm to handle form data (fixes 197 several form data handling bugs) 198 - In a subrequest, copy $r->prev->user to $r->user (or r->connection->user 199 for MP1). 200 - remove Apache2::AuthCookie::Util - no longer necessary 201 - multi-valued form fields are now handled properly in POST -> GET conversion 202 - MP2: require CGI.pm 3.12 or later 203 204Version: 3.08 205 - fix "authorize user" error log that was missing a debug level check 206 (thanks Barry) 207 - fix test cases 3, 6, 18 for Win32 208 - clean up t/real.t 209 210Version: 3.07 211 *** mod_perl2 users: THIS RELEASE IS INCOMPATIBLE WITH PAST RELEASES *** 212 *** If you are running mod_perl2, you must update to at least *** 213 *** mod_perl 2.0.0 RC5. The mod_perl2 version of AuthCookie has been *** 214 *** renamed to Apache2::AuthCookie *** 215 ** MP2: RENAME AuthCookie.pm.mp2 to Apache2::AuthCookie. 216 - MP2: Update module, and tests for mod_perl 2.0.0 RC5. mod_perl2 users 217 MUST use Apache2::AuthCookie now. 218 - Require Apache::Test 1.22 219 - Add support for ${auth_name}SessionTimeout configuration paramter 220 which will re-issue the ticket with the expires parameter set to the 221 value of this configuration setting for each request. This is useful for 222 idle-timeout. 223 - POD fixes. 224 - MP2: fix uninitialized warnings if no POST/GET data (RT 11371) 225 - make sure recognize_user() returns an Apache constant in all cases. 226 Returns DECLINED in cases where we were returning undef before. 227 (Thanks Vivek) 228 - Add support for MS HttpOnly cookie property. 229 230Version: 3.06 231 ** BUG FIX: AuthNameSatisfy (Any|All) directives were broken. AuthCookie 232 was using AuthCookieSatisfy rather than ${auth_name}Satisfy. If you 233 used this feature and had an "AuthCookieSatisfy" directive in your 234 config file, you MUST change this to ${auth_name}Satisfy. 235 E.g.: "WhateverSatisfy All" 236 - created better test cases for AuthNameSatisfy directives. 237 - when redirecting, set Location with headers_out() not err_headers_out(). 238 apache prefers Location in headers_out, even if the status code is not 239 200. 240 - MP2: Apache::unescape_url() -> Apache::URI::unescape_url() 241 - check for mod_perl 1.9913 or later for Apache::URI (Frederick Moyer) 242 - Remove set status in login.pl which caused malformed custom error 243 document (Frederick Moyer) 244 - Add support for ${auth_name}CookieName to change the name of the cookie 245 used for each auth name. Default remains ${auth_name}_${auth_type} if 246 not set. 247 - make some debug log_error() calls conditional on $debug 248 249Version: 3.05 250 - Fix POD documentation bug (thanks Steve van der Burg) 251 - login(): set Location header with err_headers_out rather than headers_out 252 (Casey West) 253 - put cookie removal code in remove_cookie() method, put cache handling 254 code in handle_cache() (Mark A. Hershberger) 255 - reorganized tree to support multiple mod_perl versions. 256 - rewrote tests to use Apache::Test framework from CPAN. 257 - fix POD errors in authorize() documentation. 258 - initial support for mod_perl version 2 259 - mp2: check for Apache::RequestRec arg so that unported subclasses 260 throw exceptions. 261 262Version: 3.04 263 - add _convert_to_get() to login_form(), and make POST -> GET conversion 264 skip credentials and destination data so only extra data is copied. This 265 ensures that "destination" wont contain the login data. 266 267Version: 3.03 268 - various POD typos fixed (Eric Cholet) 269 - Add support for ${AuthName}P3P which will set up a P3P header that will 270 be sent with the cookie. 271 - fix undefined warning in _convert_to_get (David K Trudgett) 272 - fix potential cookie clobbering if cookie was set in earlier handler 273 phase in send_cookie() (Carlyn Hicks). 274 - various undefined value warnings eliminated 275 276Version: 3.02 277 - Add support for AuthNameSatisfy directive (can be Any/All, default: Any) 278 - Move cookie path setting into get_cookie_path() so that users can 279 overload this function if they desire (Thanks Raj Chandran) 280 - POST -> GET conversion was broken (r->content called twice). Fixed. 281 282Version: 3.01 283 - adopted support for custom_errors() hook from michael@bizsystems.com. 284 - Fixed incorrect documentation in authorize() (thanks to David Young). 285 - login() handler changes: 286 o if "destination" isnt in posted data, set AuthCookieReason to 287 no_cookie and return to login_form (previously just returned 288 SERVER_ERROR). 289 o if authen_cred() returns false, set AuthCookieReason to 290 bad_credentials and return to the login form. 291 o try to handle POST -> GET conversion. 292 - CGI::Util dependency removed (these are internal subroutines for CGI.pm) 293 - ${AuthName}Path will default to "/" if it is not specified (MSIE 6.0 294 wont set cookies without path) 295 - fix login() handler change so that destination doesnt get lost on 296 subsequent login attempts (thanks Phillip Molter) 297 298Version: 3.00 299 - New maintiner: Michael Schout <mschout@gkg.net> 300 - changed to hard coded $VERSION rather than RCS Revision style. 301 - Revamped testing code to use Apache::test (with minor mods). 302 - Added support for ${AuthName}Expires parameter that can be used 303 to make your cookie persistent. 304 - CGI::Util is now used for parsing the "Expires" parameter. If you are 305 missing this package, you probably need to upgrade your CGI.pm package. 306 307Version: 2.011 Date: 2000/06/17 08:01:19 308 Several people have requested a mechanism for the login script to be 309 able to tell the difference between a failed login and a first attempt 310 at a login. Typically one can figure this out by whether a cookie has 311 been sent or not, so I've put some information to that effect in 312 $r->prev->subprocess_env(). See the login script docs for specifics. 313 314 I also cleaned up the documentation for the login script. 315 316 317Version: 2.010 Date: 2000/06/17 01:37:16 318 (merged changes from sub-releases into main CVS branch. Been living 319 in CVS hell. My CVS-hubris got the better of me, tried to do things 320 with tags & soforth and wound up severely confused. Thus the version 321 numbers jumped a bit.) 322 323 Made some minor documentation updates. 324 325 326Version: 2.009 Date: 2000/06/14 15:54:00 327 *** empty log message *** 328 329 330Version: 2.008 Date: 2000/06/14 15:36:12 331 Instead of replacing the Set-Cookie header when we set the cookie, add 332 to it. This means we won't clobber other folks' unrelated cookies 333 when we set ours. It also means you need at least mod_perl version 334 1.24 (I think). [rlocke@infiniteinfo.com (Robert Locke)] 335 336 337Version: 2.007.002.001 Date: 2000/05/14 18:06:30 338 Added a PerlSetVar *Cache parameter that you can set to a true value 339 to allow cacheing. Also removed cache control from regular requests - 340 cacheing still happens on login & logout. [asparks@cpd.harris.com 341 (Alan Sparks) and dtaylor@vialogix.com (Drew Taylor)] 342 343 Split off the login-form-displaying code into its own method, called 344 login_form(). Can be overridden in subclasses. The default method 345 uses $r->custom_response() to display the login. [richter@ecos.de 346 (Gerald Richter)] 347 348 Added documentation for the send_cookie() method. 349 350 351Version: 2.007.001.001 Date: 2000/04/29 20:03:51 352 Created the send_cookie() method, which just creates the cookie and 353 calls $r->err_header_out to send it to the browser. It is 354 occasionally useful to override this method if you need to change the 355 value of the cookie before sending it out (for instance, to update a 356 timestamp). [mschout@gkg.net (Michael J Schout)] 357 358 Changed the _cookie_string() method to cookie_string(). 359 360 Added a PerlSetVar configuration directive "{YourAuth}Secure" which 361 will secure cookies (i.e. only send them over a secure connection). 362 [mschout@gkg.net (Michael J Schout)] 363 364 365Version: 2.007 Date: 2000/04/15 15:27:02 366 branches: 2.7.1; 2.7.2; 367 If the browser sends a cookie but it's not one related to our 368 authentication, we formerly sent a blank cookie to the authentication 369 methods. Now we act as if no cookie was sent. 370 [asparks@cpd.harris.com (Alan Sparks)] 371 372 Fixed a server error that occurred when a certain user was required, 373 but a different valid user was logged in. 374 [efujii@miis.edu (Eduardo Fujii)] 375 376 Added a couple more debug statements that can help figure out what's 377 happening when your auth isn't working. 378 379 Improved some of the docs. 380 381 Added some tricks to Makefile.PL to make my life easier. 382 383 Changed the action of the example login forms from LOGIN to /LOGIN. 384 [michael@bizsystems.com (Michael)] 385 386 387Version: 2.006 Date: 2000/03/26 18:28:32 388 Added the key() method, which will return the user's current session 389 key, if any. This can be handy inside a method that implements a 390 C<require> directive check (like the C<species> method discussed 391 above) if you put any extra information like clearances or whatever 392 into the session key. 393 394 Added method-by-method documentation for each method in AuthCookie. 395 396 397Version: 2.005 Date: 2000/03/24 15:20:30 398 Removed the deprecated methods ->authen and ->authz. If you have 399 configurations that use these methods, you must change to the newer 400 ->authenticate and ->authorize methods. 401 402 Changed a couple of 'Sample's in the documentation to 403 'Sample::AuthCookieHandler'. [asparks@cpd.harris.com (Alan Sparks)] 404 405 406Version: 2.004 Date: 2000/03/15 20:53:20 407 Added documentation about the ability to set cookie domains. That 408 ability actually appeared in 2.002, but I forgot to document it or add 409 notes to the Changes file. 410 411 412Version: 2.003 Date: 2000/03/14 21:08:02 413 Now returns FORBIDDEN instead of AUTH_REQUIRED when authorization 414 fails or when a user tries to access a protected doc. 415 416 417Version: 2.002 Date: 2000/03/14 17:46:42 418 Added an internal _cookie_string method that helps construct cookie 419 strings. This shouldn't change any functionality, but makes my job 420 easier. 421 422 Added a couple of Makefile.PL questions that set the user & group 423 tests should run under. 424 425 426Version: 2.001 Date: 2000/02/11 04:46:59 427 The login forms may now use the POST method instead of the GET method. 428 This is a big deal, because with GET the user's credentials get logged 429 to access logs, they remain in the user's browser history, and so on. 430 Thanks to cholet@logilune.com (Eric Cholet) for the patch and prodding. 431 432 There is now a proper test suite, which will fire up an httpd and make 433 requests of it. The test code is adapted from Eric's old example 434 (eg/) suite. 435 436 I've added a logout() method to help unset cookies. The example 437 logout.pl now uses logout(). Thanks to Aaron Ross 438 (ross@mathforum.com). 439 440 441Version: 2.000 Date: 2000/02/02 13:18:23 442 First released version, bumped up revision number to 2.0 443 444 Created indentify() and authorize() methods to replace authen() and 445 authz(). authen() and authz() are now deprecated and will disappear 446 in a later version. 447 448 AuthType can now contain colons [adi@certsite.com (Adi)] 449 450 Nonexistent method calls (via 'require' directive) are no longer 451 shielded in authorization stage - if it fails it fails, and you get a 452 server error. 453 454 Multiple 'require' directives should work now - previously only the 455 first directive was respected. 456 457 Changed lots of documentation to reflect the above interface changes. 458 459 460Version: 1.002 Date: 2000/01/27 22:07:13 461 - Now owned by Ken Williams (ken@forum.swarthmore.edu) 462 463 - Created indentify() and authorize() methods to replace authen() 464 and authz(). authen() and authz() are now deprecated and will 465 disappear in a later version. 466 467 - AuthType can now contain colons [adi@certsite.com (Adi)] 468 469 - Nonexistent method calls (via 'require' directive) are no longer 470 shielded in authorization stage - if it fails it fails, and you 471 get a server error. 472 473 - Multiple 'require' directives should work now - previously only 474 the first directive was respected. 475 476 477Version: 1.001 Date: 2000/01/25 01:21:05 478 Eric's original version from CPAN 479 480 481