CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

COSIGN: note: login form action="/"

This isn't really cosign, per se, but it came up in a discussion with someone trying to implement cosign yesterday so I thought I'd share with the group. Those of you who've set up your own weblogin server (cosign.cgi, cosignd, monster) or read the weblogin server README probably know that, on Michigan's weblogin server, we do the following in the apache conf:

1. set up cosign.cgi as DirectoryIndex and make cosign.cgi's home DocumentRoot
2. set up AddHandler cgi-script for files ending in .cgi
3. turn on ExecCGI for DocumentRoot

This has the effect of letting us give out:

as our url without using mod_rewrite or similar tricks to hide the cgi from the url -- also without redirecting or modifying the URL in any way (e.g. never even though that would, of course, work perfectly). This let's us use "/" as the action for our login form.

The problem we ran into shows up if you decide to move cosign.cgi down into a subdirectory, e.g.:

If you use the same apache configs we do and then try to set the action of your login form as:


you won't be able to submit your form (submitting will always just return you to the login screen). This happens because apache gets the form's POST to a path that doesn't exist ( "/login" ) and redirects the request to "/login/". As you might expect, though, this redirect happens as a GET, the POSTed information is lost, and all apache can do is display the DirectoryIndex. This is pretty much exactly what happens when you ask for http://servername/docs when what you want is http://servername/docs/index.html -- Apache redirects the url to handle the display of the DirectoryIndex. As an interesting wrinkle, if you happen to use Lynx as your UA during testing you'll be asked if you'd like to go ahead and rePOST your information to the newly redirected URI presented by Apache. :)

The fix is setting your action to:


so the initial redirect won't happen and the POST can go where you, and cosign.cgi, expect it to. Seemed like something folks might run into and find subtle. Also it points up that our Apache config might not be the most obvious thing in the world. I'd be happy to hear other suggestions for a setup that would allow URLs like the ones we use while maybe being more straightforward to operate or debug.


... "In, as you say, the mud." ...


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010