[mapserver-users] Variable Substitution
Martin Kofahl
M.Kofahl at gmx.net
Thu Sep 10 01:35:09 EDT 2009
Hi Julien,
I think I missed something in my configuration as I thought, a cookie set using apaches rewrite mechanism is already visible for mapserv in the first request.
But now there's a general problem when using this technique with separate authentication mechanisms: a cookie is handled equate with get/post-request parameters and is processed last. Thus, when using a variable in a data statement, e.g. 'select ... where uid=%user%', one can easily override a cookie holding the username by adding '&user=foreign_account' to the request_uri.
So I'm not perfectly satisfied using this for authorization purposes. What do you think?
Martin
-------- Original-Nachricht --------
> Datum: Wed, 09 Sep 2009 09:44:14 -0400
> Von: Julien-Samuel Lacroix <jlacroix at mapgears.com>
> An: Martin Kofahl <M.Kofahl at gmx.net>
> CC: mapserver-users at lists.osgeo.org
> Betreff: Re: [mapserver-users] Variable Substitution
> Hi,
>
> Looking at the code in loadParams() in cgiutil.c, the cookies are added
> to the GET or POST variables automatically. There's nothing special to do.
>
> Julien
>
> Martin Kofahl wrote:
> > Hi,
> > the documentation at http://mapserver.org/mapfile/variable_sub.html
> tells about using cookies for variable substitution. Can someone provide a
> working example? I can get substitution working by using get/post request
> parameters only.
> >
> > Martin
> >
>
More information about the mapserver-users
mailing list