A question came up at the last Web Council Meeting about protecting a directory with Pubcookie. The page loaded, but CSS, Javascript, and images didn’t. This can almost always be fixed by using PubcookieAppID in your .htaccess file.
The way Pubcookie works is it it will send multiple cookies to your browser, one for each application. If you specify PubcookieAppID, that name will be used. If you don’t, then a name will be created based on the URI.
As an example, let’s say I protect the URI /test/ with the .htaccess file containing:
AuthType UWNetID require valid-user
After authenticating, I’ll have a cookie named pubcookie_s__test_, which is pubcookie_s_ appended with the path (each “/” being replaced with “_“); the application ID would be _test_. If my page points to an image at /test/graphics/test.gif, Pubcookie will assume the application ID is _test_graphics_, but I’ve only authenticated to _test_. Since the HTML returned by Pubcookie to authenticate doesn’t look like an image, the browser will just show the broken image icon. If I view the image explicitly, the browser will follow the Pubcookie authentication loop giving me access to the _test_graphics_ application ID, and I can see the image. Once I have access to both the _test_ and _test_graphics_ application IDs, I can see the image embedded in my page.
Similar to images, the browser would not be able to load CSS or Javascript files (or any other embedded objects) if they are in different directories unless I have authenticated for that directory (and therefore that application ID).
If I add the command to set the Pubcookie Application ID in the .htaccess file:
AuthType UWNetID PubcookieAppID "Test Application" require valid-user
I’ll get a cookie named pubcookie_s_Test+Application. The values in the .htaccess file will propagate to subdirectories and all accesses to the graphics subdirectory will use the same cookie and will be instantly visible.
Pubcookie Application IDs are directory agnostic, so you can even use the same application ID in completely different directories.
Leave a Reply