[mapserver-users] Variable Substitution
Julien-Samuel Lacroix
jlacroix at mapgears.com
Thu Sep 10 06:36:30 PDT 2009
Hi,
You can't pass authentication information through cookies anyway. They
can easily be overwriten by the user. You should probably have a proxy
in front of your mapserver that does the authentication.
There's a couple of access control systems that will be presented at
FOSS4G in october. There may be one that may interest you.
Julien
Martin Kofahl wrote:
> Hi Julien,
> I think I missed something in my configuration as I thought, a cookie set using apaches rewrite mechanism is already visible for mapserv in the first request.
>
> But now there's a general problem when using this technique with separate authentication mechanisms: a cookie is handled equate with get/post-request parameters and is processed last. Thus, when using a variable in a data statement, e.g. 'select ... where uid=%user%', one can easily override a cookie holding the username by adding '&user=foreign_account' to the request_uri.
>
> So I'm not perfectly satisfied using this for authorization purposes. What do you think?
>
> Martin
>
>
>
> -------- Original-Nachricht --------
>> Datum: Wed, 09 Sep 2009 09:44:14 -0400
>> Von: Julien-Samuel Lacroix <jlacroix at mapgears.com>
>> An: Martin Kofahl <M.Kofahl at gmx.net>
>> CC: mapserver-users at lists.osgeo.org
>> Betreff: Re: [mapserver-users] Variable Substitution
>
>> Hi,
>>
>> Looking at the code in loadParams() in cgiutil.c, the cookies are added
>> to the GET or POST variables automatically. There's nothing special to do.
>>
>> Julien
>>
>> Martin Kofahl wrote:
>>> Hi,
>>> the documentation at http://mapserver.org/mapfile/variable_sub.html
>> tells about using cookies for variable substitution. Can someone provide a
>> working example? I can get substitution working by using get/post request
>> parameters only.
>>> Martin
>>>
>
--
Julien-Samuel Lacroix
Mapgears
http://www.mapgears.com/
More information about the MapServer-users
mailing list