1Revision history for Apache::AuthCookie
2
33.30  2020-04-14
4   - Fix logic error for EnforceLocalDestination
5   - Add a bunch of tests to cover all scenarios of EnforceLocalDestination and
6     DefaultDestination
7
83.29  2020-03-22
9   - Add optional support for enforcing a local destination, like so:
10
11        PerlSetVar MyAuthEnforceLocalDestination 1
12
13   - Add optional support for specifying a default destination when the login
14     form's destination argument is unspecified or invalid (including
15     non-local if local destinations are enforced), like this:
16
17        PerlSetVar MyAuthDefaultDestination /protected/user/
18
193.28  2019-11-19
20   - Add support for SameSite cookie property (can be strict/lax).
21   - Minor POD updates.
22
233.27  2017-07-28
24   - Fix POD spelling error [#118545].
25
263.26  2016-09-30
27   - remove unused module Apache::AuthCookie::Autobox from dist
28   - remove CGI.pm dependency.  CGI.pm has been removed from perl core, which
29     was the primary reason we used it in the first place.  Replaced with
30     dependency on lighter weight set of three modules:
31
32        * HTTP::Body
33        * WWW::Form::UrlEncoded
34        * Hash::MultiValue
35
36     Also recommended (but not required) is WWW::Form::UrlEncoded::XS
37   - Add optional support for charset encoding.  If you have something like
38
39        PerlSetVar MyAuthNameEncoding UTF-8
40
41     Then AuthCookie with now automatically decode parameters using the given
42     encoding now. AuthCookie params() data will be decoded automatically if
43     this is on.  See details in AuthCookie module documentation.  In addition
44     r->user will be encoded (using byte semantics) using this encoding.
45
46     ***** IMPORTANT *****
47     If you turn this on, this could break your code.  r->user() will now be
48     byte encoded using the given encoding.  If you use usernames that contain
49     non-ascii characters you either need to use decoded_user(), or decode
50     r->user() yourself in your subclasses.
51
52     See the AuthCookie docs for more details.
53   - add optional support for decoding httpd.conf requires directives. This is
54     enabled with a RequiresEncoding setting:
55
56        PerlSetVar MyAuthNameRequiresEncoding UTF-8
57
58     Then decoded_requires($r) will return the decoded value of $r->requires
59     You only need this if you have non-ascii characters in your requires
60     directives such as:
61
62        Requires user programmør
63
64   - add decoded_user($r) method to get the value of r->user decoded using
65     character semantics instead of bytes.  Due to the fact that r->user is a C
66     API method we cannot get character semantics on r->user directly.  If no
67     Encoding directive is in effect, then this is the same as r->user.
68   - add encoding($r): string which returns the value of the Encoding directive
69     that is in effect for the current request.
70
713.25  2016-08-30
72   - 2.4: fix POD typo and add missing ABSTRACT
73   - reorganize real.t tests into subtests
74   - make sure signature test ignores generated files
75   - remove autobox dependency
76   - fix authenticate so that r->user is copied from r->main on subrequests.
77     Previously this was only done for internal redirects (r->prev is defined).
78     This fixes DirectoryIndexes on AuthCookie enabled directories under apache
79     2.4.
80
813.24  2016-01-13
82   - Update Apache 2.4 README, flesh out guts of Authz Provider notes.
83   - Improve Apache 2.4 README's AuthzProvider documentation
84   - Add POD to Apache2_4::AuthCookie
85   - Add FAQ to Apache2_4::AuthCookie documenation
86   - 2.4: document that PerlAddAuthzProvider is only needed for *custom* Requires directives.
87   - 2.4: make authz_handler recognize multiple usernames in the directive like
88     mod_authz_user does.
89   - add test case for internal authz_handler
90   - explicitly require Apache::Test 1.39 so that APACHE2_4 defines are set
91
923.23  2015-09-10
93   - Improve CGI mode param() handling to avoi CGI.pm's "param() called in list context" warning.
94   - add support for Apache 2.4 via mod_perl 1.09.
95     ***** IMPORTANT *****
96     Apache 2.4 has a *VERY* different API for authentication.  You will need
97     to port your subclass and configuration over to the Apache 2.4 API in
98     order to use Apache 2.4!  Please be sure to read README.apache-2.4.pod for
99     porting instructions!
100
1013.22  2014-05-07
102
1033.21  2014-05-07
104   - Bad release - deleted
105
1063.20  2013-12-09
107   - login_form: return OK for mobile IE 10, which also ignores content for
108     FORBIDDEN response.
109   - test .pl registry scripts: do not try to load mod_perl.pm
110   - escape html tags in destination.
111   - fix abstract in FAQ pod.
112
1133.19  2012-12-28
114   - split out CGI data handling into ::AuthCookie::Params modules
115   - use Apache::Request/Apache2::Request from libapreq if available. Otherwise,
116     fall back to CGI.pm for handling CGI data.
117   - improve "removed cookie" debug log message
118   - add dependencies: autobox, Class::Load
119   - allow username to be '0'
120   - login_form: return OK for SymbianOS, which ignores content for FORBIDDEN responses.
121   - add login_form_status() to override HTTP status returned by login form
122   - recognize_user: return DECLINED if user is not recognized
123
1243.18  2011-01-24
125   - remove 3.17's test skip hacks, and bump Apache::Test prerequisite to v1.35
126     which fixes this issue.
127   - fix MANIFEST.SKIP to ignore generated t/conf/mime.types
128   - remove dist.ini, weaver.ini from dists
129   - fixed t/real.t to use correct -withtestmore import syntax
130   - rename sample authcookie handlers to Sample::Apache and Sample::Apache2
131     namespaces
132
1333.17  2011-01-19
134   - skip the test suite if running as root.  Apache::Test 1.34 fails the test
135     suite if running as root instead of skipping it.  By skipping, AuthCookie
136     can be installed via CPAN.pm as root.
137
1383.16  2011-01-19
139   - require Apache::Test 1.32 - fixes ubuntu build issue
140   - remove mod_perl/mod_perl2 related prereq's from META.yml.  The correct mod
141     perl version is not known until Makefile.PL is run.  CPAN.pm should not
142     try to install either one until it is known which one is appropriate.
143     (RT 64926)
144
1453.15  2010-08-27
146   - enable Dist::Zilla Manifest plugin
147   - add FAQ
148   - add FAQ entry on how to protect an entire site/document root
149   - recognize_user: return DECLINED if user is already set
150   - refactor P3P header generation into send_p3p($r) so subclasses can overload it
151
1523.14  2010-04-12
153   - MP2: doc updates: remove beta warnings, change Apache::AuthCookie to
154     Apache2::Authcookie where appopriate.
155   - docs: change my email to my cpan address
156   - docs: remove POST limitations reference (handled by POST to GET conversion)
157   - sign dist with Module::Signature
158   - add signature test
159   - MP1: perltidy Apache::AuthCookie sources.
160   - update mod_perl2 prereq version (still 2.0.0 RC5, but version number was
161     incorrect in Makefile.PL)
162   - use Dist::Zilla for building the dist
163
1643.13  2010-04-12
165   - removed: bad dist
166
167Version: 3.12
168   - Makefile.PL If no mod_perl version is found, just require mod_perl2.
169     This makes sure that CPAN testers will get the right dependencies.
170     way. Also set up PREREQ_PM properly for mod_perl version 1.
171
172Version: 3.11
173   - Fix tiny pod doc error.
174   - Escape CR and LF in 'destination' field to prevent possible XSS attack
175     [Steffen Schwigon]
176
177Version: 3.10
178   - Bug Fix: when copying user from prev request, check that $r->prev
179     is defined, not just that $r->is_initial_request is true.
180
181Version: 3.09
182   - POD doc fixes.
183   - MP2: remove _check_request_req() - this was only necessary when
184     running under both MP1 and MP2.  Package name change eliminates the
185     need for this.
186   - test suite converted to Test::More style test suites.
187   - descriptive test descriptions added
188   - make login() stash credentials in $r->pnotes("${AuthName}Creds") so
189     that the login form can access the user-supplied credentials if the
190     login fails.
191   - bug fix: use of Apache2::URI::unescape_url() does not handle
192     '+' to ' ' conversion.  This caused problems for credentials
193     that contain spaces.
194   - MP2: remove mod_perl features from "use mod_perl2" line. This is
195     no longer supported by mod_perl2.
196   - MP2: _get_form_data() - switch to CGI.pm to handle form data (fixes
197     several form data handling bugs)
198   - In a subrequest, copy $r->prev->user to $r->user (or r->connection->user
199     for MP1).
200   - remove Apache2::AuthCookie::Util - no longer necessary
201   - multi-valued form fields are now handled properly in POST -> GET conversion
202   - MP2: require CGI.pm 3.12 or later
203
204Version: 3.08
205   - fix "authorize user" error log that was missing a debug level check
206     (thanks Barry)
207   - fix test cases 3, 6, 18 for Win32
208   - clean up t/real.t
209
210Version: 3.07
211 *** mod_perl2 users: THIS RELEASE IS INCOMPATIBLE WITH PAST RELEASES    ***
212 *** If you are running mod_perl2, you must update to at least           ***
213 *** mod_perl 2.0.0 RC5.  The mod_perl2 version of AuthCookie has been   ***
214 *** renamed to Apache2::AuthCookie                                      ***
215  ** MP2: RENAME AuthCookie.pm.mp2 to Apache2::AuthCookie.
216   - MP2: Update module, and tests for mod_perl 2.0.0 RC5.  mod_perl2 users
217     MUST use Apache2::AuthCookie now.
218   - Require Apache::Test 1.22
219   - Add support for ${auth_name}SessionTimeout configuration paramter
220     which will re-issue the ticket with the expires parameter set to the
221     value of this configuration setting for each request.  This is useful for
222     idle-timeout.
223   - POD fixes.
224   - MP2: fix uninitialized warnings if no POST/GET data (RT 11371)
225   - make sure recognize_user() returns an Apache constant in all cases.
226     Returns DECLINED in cases where we were returning undef before.
227     (Thanks Vivek)
228   - Add support for MS HttpOnly cookie property.
229
230Version: 3.06
231  ** BUG FIX: AuthNameSatisfy (Any|All) directives were broken. AuthCookie
232     was using AuthCookieSatisfy rather than ${auth_name}Satisfy.  If you
233     used this feature and had an "AuthCookieSatisfy" directive in your
234     config file, you MUST change this to ${auth_name}Satisfy.
235     E.g.: "WhateverSatisfy All"
236   - created better test cases for AuthNameSatisfy directives.
237   - when redirecting, set Location with headers_out() not err_headers_out().
238     apache prefers Location in headers_out, even if the status code is not
239     200.
240   - MP2: Apache::unescape_url() -> Apache::URI::unescape_url()
241   - check for mod_perl 1.9913 or later for Apache::URI (Frederick Moyer)
242   - Remove set status in login.pl which caused malformed custom error
243     document (Frederick Moyer)
244   - Add support for ${auth_name}CookieName to change the name of the cookie
245     used for each auth name.  Default remains ${auth_name}_${auth_type} if
246     not set.
247   - make some debug log_error() calls conditional on $debug
248
249Version: 3.05
250   - Fix POD documentation bug (thanks Steve van der Burg)
251   - login(): set Location header with err_headers_out rather than headers_out
252     (Casey West)
253   - put cookie removal code in remove_cookie() method, put cache handling
254     code in handle_cache() (Mark A. Hershberger)
255   - reorganized tree to support multiple mod_perl versions.
256   - rewrote tests to use Apache::Test framework from CPAN.
257   - fix POD errors in authorize() documentation.
258   - initial support for mod_perl version 2
259   - mp2: check for Apache::RequestRec arg so that unported subclasses
260     throw exceptions.
261
262Version: 3.04
263   - add _convert_to_get() to login_form(), and make POST -> GET conversion
264     skip credentials and destination data so only extra data is copied. This
265     ensures that "destination" wont contain the login data.
266
267Version: 3.03
268   - various POD typos fixed (Eric Cholet)
269   - Add support for ${AuthName}P3P which will set up a P3P header that will
270     be sent with the cookie.
271   - fix undefined warning in _convert_to_get (David K Trudgett)
272   - fix potential cookie clobbering if cookie was set in earlier handler
273     phase in send_cookie() (Carlyn Hicks).
274   - various undefined value warnings eliminated
275
276Version: 3.02
277   - Add support for AuthNameSatisfy directive (can be Any/All, default: Any)
278   - Move cookie path setting into get_cookie_path() so that users can
279     overload this function if they desire (Thanks Raj Chandran)
280   - POST -> GET conversion was broken (r->content called twice). Fixed.
281
282Version: 3.01
283   - adopted support for custom_errors() hook from michael@bizsystems.com.
284   - Fixed incorrect documentation in authorize() (thanks to David Young).
285   - login() handler changes:
286       o if "destination" isnt in posted data, set AuthCookieReason to
287         no_cookie and return to login_form (previously just returned
288         SERVER_ERROR).
289       o if authen_cred() returns false, set AuthCookieReason to
290         bad_credentials and return to the login form.
291       o try to handle POST -> GET conversion.
292   - CGI::Util dependency removed (these are internal subroutines for CGI.pm)
293   - ${AuthName}Path will default to "/" if it is not specified (MSIE 6.0
294     wont set cookies without path)
295   - fix login() handler change so that destination doesnt get lost on
296     subsequent login attempts (thanks Phillip Molter)
297
298Version: 3.00
299   - New maintiner: Michael Schout <mschout@gkg.net>
300   - changed to hard coded $VERSION rather than RCS Revision style.
301   - Revamped testing code to use Apache::test (with minor mods).
302   - Added support for ${AuthName}Expires parameter that can be used
303     to make your cookie persistent.
304   - CGI::Util is now used for parsing the "Expires" parameter. If you are
305     missing this package, you probably need to upgrade your CGI.pm package.
306
307Version: 2.011  Date: 2000/06/17 08:01:19
308   Several people have requested a mechanism for the login script to be
309   able to tell the difference between a failed login and a first attempt
310   at a login.  Typically one can figure this out by whether a cookie has
311   been sent or not, so I've put some information to that effect in
312   $r->prev->subprocess_env().  See the login script docs for specifics.
313
314   I also cleaned up the documentation for the login script.
315
316
317Version: 2.010  Date: 2000/06/17 01:37:16
318   (merged changes from sub-releases into main CVS branch.  Been living
319   in CVS hell.  My CVS-hubris got the better of me, tried to do things
320   with tags & soforth and wound up severely confused.  Thus the version
321   numbers jumped a bit.)
322
323   Made some minor documentation updates.
324
325
326Version: 2.009  Date: 2000/06/14 15:54:00
327   *** empty log message ***
328
329
330Version: 2.008  Date: 2000/06/14 15:36:12
331   Instead of replacing the Set-Cookie header when we set the cookie, add
332   to it.  This means we won't clobber other folks' unrelated cookies
333   when we set ours.  It also means you need at least mod_perl version
334   1.24 (I think).  [rlocke@infiniteinfo.com (Robert Locke)]
335
336
337Version: 2.007.002.001  Date: 2000/05/14 18:06:30
338   Added a PerlSetVar *Cache parameter that you can set to a true value
339   to allow cacheing.  Also removed cache control from regular requests -
340   cacheing still happens on login & logout.  [asparks@cpd.harris.com
341   (Alan Sparks) and dtaylor@vialogix.com (Drew Taylor)]
342
343   Split off the login-form-displaying code into its own method, called
344   login_form().  Can be overridden in subclasses.  The default method
345   uses $r->custom_response() to display the login. [richter@ecos.de
346   (Gerald Richter)]
347
348   Added documentation for the send_cookie() method.
349
350
351Version: 2.007.001.001  Date: 2000/04/29 20:03:51
352   Created the send_cookie() method, which just creates the cookie and
353   calls $r->err_header_out to send it to the browser.  It is
354   occasionally useful to override this method if you need to change the
355   value of the cookie before sending it out (for instance, to update a
356   timestamp).  [mschout@gkg.net (Michael J Schout)]
357
358   Changed the _cookie_string() method to cookie_string().
359
360   Added a PerlSetVar configuration directive "{YourAuth}Secure" which
361   will secure cookies (i.e. only send them over a secure connection).
362   [mschout@gkg.net (Michael J Schout)]
363
364
365Version: 2.007  Date: 2000/04/15 15:27:02
366   branches:  2.7.1;  2.7.2;
367   If the browser sends a cookie but it's not one related to our
368   authentication, we formerly sent a blank cookie to the authentication
369   methods.  Now we act as if no cookie was sent.
370   [asparks@cpd.harris.com (Alan Sparks)]
371
372   Fixed a server error that occurred when a certain user was required,
373   but a different valid user was logged in.
374   [efujii@miis.edu (Eduardo Fujii)]
375
376   Added a couple more debug statements that can help figure out what's
377   happening when your auth isn't working.
378
379   Improved some of the docs.
380
381   Added some tricks to Makefile.PL to make my life easier.
382
383   Changed the action of the example login forms from LOGIN to /LOGIN.
384   [michael@bizsystems.com (Michael)]
385
386
387Version: 2.006  Date: 2000/03/26 18:28:32
388   Added the key() method, which will return the user's current session
389   key, if any.  This can be handy inside a method that implements a
390   C<require> directive check (like the C<species> method discussed
391   above) if you put any extra information like clearances or whatever
392   into the session key.
393
394   Added method-by-method documentation for each method in AuthCookie.
395
396
397Version: 2.005  Date: 2000/03/24 15:20:30
398   Removed the deprecated methods ->authen and ->authz.  If you have
399   configurations that use these methods, you must change to the newer
400   ->authenticate and ->authorize methods.
401
402   Changed a couple of 'Sample's in the documentation to
403   'Sample::AuthCookieHandler'.  [asparks@cpd.harris.com (Alan Sparks)]
404
405
406Version: 2.004  Date: 2000/03/15 20:53:20
407   Added documentation about the ability to set cookie domains.  That
408   ability actually appeared in 2.002, but I forgot to document it or add
409   notes to the Changes file.
410
411
412Version: 2.003  Date: 2000/03/14 21:08:02
413   Now returns FORBIDDEN instead of AUTH_REQUIRED when authorization
414   fails or when a user tries to access a protected doc.
415
416
417Version: 2.002  Date: 2000/03/14 17:46:42
418   Added an internal _cookie_string method that helps construct cookie
419   strings.  This shouldn't change any functionality, but makes my job
420   easier.
421
422   Added a couple of Makefile.PL questions that set the user & group
423   tests should run under.
424
425
426Version: 2.001  Date: 2000/02/11 04:46:59
427   The login forms may now use the POST method instead of the GET method.
428   This is a big deal, because with GET the user's credentials get logged
429   to access logs, they remain in the user's browser history, and so on.
430   Thanks to cholet@logilune.com (Eric Cholet) for the patch and prodding.
431
432   There is now a proper test suite, which will fire up an httpd and make
433   requests of it.  The test code is adapted from Eric's old example
434   (eg/) suite.
435
436   I've added a logout() method to help unset cookies.  The example
437   logout.pl now uses logout().  Thanks to Aaron Ross
438   (ross@mathforum.com).
439
440
441Version: 2.000  Date: 2000/02/02 13:18:23
442   First released version, bumped up revision number to 2.0
443
444   Created indentify() and authorize() methods to replace authen() and
445   authz().  authen() and authz() are now deprecated and will disappear
446   in a later version.
447
448   AuthType can now contain colons [adi@certsite.com (Adi)]
449
450   Nonexistent method calls (via 'require' directive) are no longer
451   shielded in authorization stage - if it fails it fails, and you get a
452   server error.
453
454   Multiple 'require' directives should work now - previously only the
455   first directive was respected.
456
457   Changed lots of documentation to reflect the above interface changes.
458
459
460Version: 1.002  Date: 2000/01/27 22:07:13
461     - Now owned by Ken Williams (ken@forum.swarthmore.edu)
462
463     - Created indentify() and authorize() methods to replace authen()
464       and authz().  authen() and authz() are now deprecated and will
465       disappear in a later version.
466
467     - AuthType can now contain colons [adi@certsite.com (Adi)]
468
469     - Nonexistent method calls (via 'require' directive) are no longer
470       shielded in authorization stage - if it fails it fails, and you
471       get a server error.
472
473     - Multiple 'require' directives should work now - previously only
474       the first directive was respected.
475
476
477Version: 1.001  Date: 2000/01/25 01:21:05
478   Eric's original version from CPAN
479
480
481