Here's my proposal for authentication. I hope this will help with the anti-cookie people in the crowd. Note, after writing all this out, I found a module called mod_auth_tkt which apparently does most of the cookie part of this. Might be better to implement it ourselves, as it makes one less apache configuration problem on installation. 1. Every script calls a checkauth($query) routine before doing anything else. 2. checkauth() checks for a $ENV{'REMOTE_USERNAME'} environment variable. a. If one is set, assume that basic authentication of some sort is being used b. check that this user is allowed to be running this script. If not, print a warning page and exit (possibly redirect to library home page or somesuch?). c. return a zero value and the userid logged in and the script carries on. 3. checkauth() looks for the value of a sessionID cookie in the $query hash. a. If it doesn't find one: * present a log in screen where the user can enter a username and password. * The name of the original script and any query parameters are stored as hidden query params. * authentication script checks the entered username and password against a configurable authentication source (eg local mysql table, passwd file, ldap, pop server, you name it) and stores the sessionID, userid, remote ip address and lastcontact (current time) in the sessions database table. b. If it finds one: * look up the userid, ip address and lastcontact values from a database table (sessions) for this sessionID. If ip address is the same, and lastcontact is recent enough for this category of user (eg librarians might time out after 30 minutes, patrons after 5 minutes) then return a zero value, the userid logged in, and a cookie to be added to the HTML header and the script carries on. * If ip address is different, display a warning page and exit. (Note that this doesn't prevent the same user from logging in from two different ips simultaneously, as they would normally have different sessionIDs. It just protects (somewhat) against somebody hijacking the cookie and the session. * If lastcontact time has expired, remove the session from the sessions table and display a login screen (as in 3a above). Modifications to existing scripts consist of calling: my ($userid,$cookie)=checkauth() at the top of every script and changing: print $input->header; to if ($config->{'usecookieauth'}) { print $input->header(-cookie->$cookie); } else { print $input->header; } Steve.