[ic] CookieLogin and DifferentSecure directive

Todd L. Cawthron interchange-users@icdevgroup.org
Tue Oct 1 14:09:00 2002


This issue has been raised before on the list, but I have not found a real
answer in the list archives.  But, I think I found the problem in a
combination of Config.pm and UserDB.pm.  Perhaps Mike could comment?

Problem:
I want to set the MV_USERNAME cookie when a person logs in (so that their
username is automatically entered in the form the next time they log on),
but this isn't happening.

Configuration:
In catalog.cfg, Cookies is Yes, CookieLogin is Yes, CookieDomain is
.mydomain.com, and SaveExpire is 60 days, VendURL is
http://www.mydomain.com/dev/, and SecureURL is
https://secure.mydomain.com/dev/.
In my logon.html page, mv_cookie_username=1.
I am using Interchange 4.8.5 with Apache and mod_interchange.

Diagnosis:
Login cookies are set in lib/Vend/UserDB.pm in the subroutine
username_cookies.  Before it sets a cookie, it checks to see if
$Vend::Cfg->{DifferentSecure}and $CGI::secure are set.  I added some log
entries to check the contents of these variables.  In my case,
$Vend::Cfg->{DifferentSecure} is a hash reference and $CGI::secure = "on".

I then commented out the line that checks DifferentSecure and everything
worked great.  The cookie was set and haven't noticed any side effects yet.

My question is, what is the purpose of DifferentSecure?  It is not
documented and, as far as I can tell, has no default value, and is not
explicitly set anywhere in the interchange code.  According to my grep of
the interchange directory, it is only used (by name anyway) in Config.pm and
UserDB.pm.  According to Config.pm, it is the same type of directive as
AlwaysSecure, which is "boolean".  Boolean in this case does not mean true
or false for one value (yesno does that), but instead indicates a list of
values.  Therefore, when DifferentSecure is referenced as
$Vend::Cfg->{DifferentSecure}, it will always be true because it is a hash
reference (even if the hash it is referencing is empty).

Is there a need for the DifferentSecure directive anymore?  If there is,
should it's Config.pm type still be boolean?  If so, shouldn't the way its
value is checked be changed?

Thanks in advance for any comments or help.

--
Todd L. Cawthron
e-mail:  todd@lunsfordgroup.com