View on
MetaCPAN is shutting down
For details read Perl NOC. After June 25th this page will redirect to
Dave Rolsky > CatalystX-AuthenCookie > CatalystX::AuthenCookie



Annotate this POD

View/Report Bugs
Module Version: 0.02   Source  


CatalystX::AuthenCookie - Plugin for cookie-based authentication


version 0.02


  package MyApp;

  use Moose;
  extends 'Catalyst';
  with 'CatalystX::AuthenCookie';

  package MyApp::Controller;

  use Moose;
  BEGIN { extends 'Catalyst::Controller' }

  sub login {
      my $self = shift;
      my $c    = shift;

      $c->set_authen_cookie( value => { user_id => 1234 } );

  sub _check_login {
      my $self = shift;
      my $c    = shift;

      my $value = $c->authen_cookie_value();

      print $value->{user_id};

  sub logout {
      my $self = shift;
      my $c    = shift;



This plugin provides a few methods to help you implement a secure cookie-based implementation scheme. It does not interact with the Catalyst::Plugin::Authentication system, and expects that you will implement the actual logging in and out inside your controller code.

What it does provide is a few methods for setting a cookie and retrieving it later, along with some configuration of that cookie.

When it sets a cookie, it adds a MAC (Message Authentication Code) to the cookie. The MAC is based off of the cookie's values and a server-side secret you provide. This allows the plugin to verify that the cookie is valid when it receives it from the client on future requests, and prevents a malicious client from forging a user id. The cookie is still vulnerable to hijacking (as are most common web authentication mechanisms).


This class provides the following methods:

$c->set_authen_cookie( value => $value, expires => $expires )

This method takes a value and an optional expires parameter and sets a cookie based on those values, as well as this plugin's configuration.

The value parameter must be a hash reference. Presumably, it will contain something like a user id, which will allow you to identify the user on future requests.

The expires parameter is optional. If given, it should be something that CGI::Cookie can handle, like "+1d".

Also see the CONFIG section for more details on configuring the cookie.


This method removes the cookie from the client by sending a new cookie header with an expiration time in the past and an empty value.


This method returns a hash reference containing the value of the authentication cookie. This method simply returns false if there is no cookie or if the MAC is invalid.


The top-level configuration key for this plugin is "authen_cookie". Most of the configuration keys correspond to CGI::Cookie constructor parameters, and reading that module's documentation may be helpful. The follow config keys are available for this module:


This module does not provide a complete authentication solution, and will require some code on your side to tie things together.

Presumably, you want to be able to identify a user on each request and probably make a object from one of your model classes for that user. You also need to decide when to set and remove the cookie, presumably in your controller.

Here are some examples of each piece you might implement. First, a login action in your controller:

  package MyApp::Controller::User;

  sub login : Local {
      my $self = shift;
      my $c    = shift;

      my $email = $c->request()->param('email_address');
      my $pw    = $c->request()->param('password');

      my $user = MyApp::Model::User->new(
          email    => $email,
          password => $pw,

      if ( !$user ) {

          # login failed, do something to handle that

      my %expires;
      %expires = ( expires => '+1y' )
          if $c->request()->param('remember');

          value => { user_id => $user->user_id() },

      # redirect to some other page

One thing to note is that the user will not be retrievable from the cookie until the next request. If you always redirect after a form POST this isn't an issue, but for some apps it may be important.

The logout action is even simpler:

  package MyApp::Controller::User;

  sub logout : Local {
      my $self = shift;
      my $c    = shift;


      # redirect

Finally, we need a small plugin to retrieve the user from the cookie on request:

  package MyApp::AppRole::User;

  use strict;
  use warnings;

  use Moose::Role;

  has _user => (
      is  => 'rw',
      isa => 'MyApp::Mode::User',

  has _checked_cookie => (
      is  => 'rw',
      isa => 'Bool',

  sub user {
      my $self = shift;

      my $user = $self->_user();

      unless ( $user || $self->_checked_cookie() ) {
          $user = $self->_get_user_from_cookie();

      return $user;

  sub _get_user_from_cookie {
      my $self = shift;

      my $cookie = $self->authen_cookie_value();

      return unless $cookie && $cookie->{user_id};

      return MyApp::Model::User->new( user_id => $cookie->{user_id} );


Loading this plugin gives you a $c->user() method which fetches the user on demand. The _checked_cookie attribute is there to prevent us from checking for the cookie repeatedly when the cookie does not exist or reference a valid user. Another solution would be to return an object representing a guest user as a default.


Please report any bugs or feature requests to, or through the web interface at I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.


Dave Rolsky <>


This software is Copyright (c) 2011 by Dave Rolsky.

This is free software, licensed under:

  The Artistic License 2.0 (GPL Compatible)
syntax highlighting: