DaveW
02-17-2006, 03:33 AM
I'd like some informed and informative advice. Can we avoid a descent into a pointless Perl vs PHP debate.
I'm looking to build a web application. I've got Perl experience and am interested in the CGI::Application framework. I've been looking at how to implement supporting services, e.g. security.
There is a security plugin available for this framework but I don't particularly want to mandate that everything has to be CGI, a may have a perfectly valid requirement for lots of static HTML pages. Also, I don't really want to embed security functionality within the application.
I was very interested in this article (enter the search string CGI::Application into Google and go to the first link shown, which should be "Using CGI::Application" at perl.com, apparently I can't yet paste a URL in here due to insufficient posts) and in particular the "Thoughts on Session and Security". I like what they say about the "Apache::Auth*" modules. Separation of the application and security and the ability to treat CGI and HTML resources the same way. Sounds good.
However, this needs mod_perl installed, which isn't widespread.
My mind turns to PHP, which I'm looking to get some experience in. I know that mod_php is more routinely installed and this exposes, for example, the Apache authentication variables to PHP. However, it seems I'd have to implement the PHP authentication code in every page. I'm back to square one. No separation between the application and security and now everything has to be a PHP page, whether it needs to be for non-security reasons or not.
Does anyone know of a way that I can get the best of both worlds? What I'd like to do is exploit PHP's visibility of the Apache security handling via mod_php but do it as an externally invoked security handler. I'd rather not go down the route of embedding this in all my pages.
Thanks
Dave
I'm looking to build a web application. I've got Perl experience and am interested in the CGI::Application framework. I've been looking at how to implement supporting services, e.g. security.
There is a security plugin available for this framework but I don't particularly want to mandate that everything has to be CGI, a may have a perfectly valid requirement for lots of static HTML pages. Also, I don't really want to embed security functionality within the application.
I was very interested in this article (enter the search string CGI::Application into Google and go to the first link shown, which should be "Using CGI::Application" at perl.com, apparently I can't yet paste a URL in here due to insufficient posts) and in particular the "Thoughts on Session and Security". I like what they say about the "Apache::Auth*" modules. Separation of the application and security and the ability to treat CGI and HTML resources the same way. Sounds good.
However, this needs mod_perl installed, which isn't widespread.
My mind turns to PHP, which I'm looking to get some experience in. I know that mod_php is more routinely installed and this exposes, for example, the Apache authentication variables to PHP. However, it seems I'd have to implement the PHP authentication code in every page. I'm back to square one. No separation between the application and security and now everything has to be a PHP page, whether it needs to be for non-security reasons or not.
Does anyone know of a way that I can get the best of both worlds? What I'd like to do is exploit PHP's visibility of the Apache security handling via mod_php but do it as an externally invoked security handler. I'd rather not go down the route of embedding this in all my pages.
Thanks
Dave