The basic authorization logic for Movable Type is in the App.pm file. The run method does the check for being logged in and sets the cookie for future access. The actual DB query and check is done in the login method. run calls login to see if the user is enabled by cookie or because the login prompt provided the user and password. If not, run generates the template so that on the next request the user name and password is available. On success, a cookie is created and sent to the browser. If the user clicked ‘Remember Me’ then the cookie expiration is set to be 10 years in the future (otherwise it gets the default, which is until the browser is shut down).

  • The user_class is expected to be set by the subclass of MT::App that is performing the task.
  • The mt_user cookie is restricted to the MT CGI directory, so it can’t be used by scripts elsewhere.