httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eckert <>
Subject make mod_auth_form tell you where the credentials came from
Date Tue, 03 Dec 2013 11:27:30 GMT
I have been having problems with mod_auth_form on returning DENIED from my
custom auth provider. This provider has it's own module-local session
cache, where stuff like accessible paths, credentials and the like are
stored to avoid having to query an external (and expensive) authentication
daemon. Once such a session is accessed by the user browsing (e.g. with the
corresponding session cookie) I might need to invalidate the session (e.g.
time out). After failing the appropriate checks I would "return DENIED" but
this had an unpleasant drawback: If a user accessed the session by sending
the filled-in form (e.g. on a new device with no cookie) the code would
still return DENIED if the session was invalid for whatever reason. This
resulted in the user being shown the form again, even though the user just
filled in the form correctly.

This is how I solved the problem for me:

diff --git a/modules/aaa/mod_auth_form.c b/modules/aaa/mod_auth_form.c
index 28045b5..91df0c9 100644
--- a/modules/aaa/mod_auth_form.c
+++ b/modules/aaa/mod_auth_form.c
@@ -687,6 +687,18 @@ static int get_form_auth(request_rec * r,

+    /* We sometimes want to know whether the user credentials came from
the HTTP body (on form submit) or from the headers (e.g. cookie).
+       At this point we know the user credentials have not been fetched
from the headers but from the body. */
+    if (*sent_user && *sent_pw) {
+      /* always attach this note to the main request, so we can find it
again later */
+      request_rec* r_main = r;
+      while (r_main->main) {
+        r_main = r_main->main;
+      }
+      ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "got user credentials
from HTTP body");
+      apr_table_set(r_main->notes, "auth_form_credentials_source",
apr_pstrdup(r->pool, "body"));
+    }
     /* set the user, even though the user is unauthenticated at this point
     if (*sent_user) {
         r->user = (char *) *sent_user;

Is there a better solution with existing means ? If not I propose adding
the above in some way so that custom providers can work around the
described problem.

View raw message