httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Lewis <>
Subject Re: Making mod_auth_digest mysql
Date Fri, 13 Feb 2009 00:25:28 GMT
Michele Waldman wrote:
> It is different that just authenticating.
> Due to an htaccess authentication implementation, it requires a work around
> to prevent those pesky popups the browsers produce.
> I'm trying to do a spin on this:
> Implementing the mod_auth_digest authenticating against mysql was all part
> of this.
> Michele

Sounds like you :
a) have your work cut out for you
b) can perform the task easily using pre-existing modules.

Problem 1 : If it is the "popup" login that you are trying to avoid, you 
can't by switching to "digest" instead of "basic" authentication. The 
only way around this is to inject the headers into the authentication on 
the SERVER side. An example module doing this is mod_auth_cookie, which 
takes a Cookie header (e.g. set by a PHP script) and converts it into 
the user credentials as if the browser had submitted basic authentication.

Problem 2 : Getting the popup if the browser didn't send the credentials 
(or the cookie as it would inject those credentials for the 
authentication). The way around this is to simply redirect to the 
"login" page that will "set the cookie" (or whatever you are using to 
inject the credentials into the incoming headers). This is a 
configuration side :

ErrorDocument 401 /login.jsp

Do not do a full URL redirect, as this will send the redirect back to 
the browser. A local URL redirect should allow the page to send contents 
back (e.g. a login form).

Let me try walking through an example using mod_auth_mysql, 
mod_auth_cookie, and PHP. The user opens their browser for the first 
time, and types in the website into the location bar. Browsing down into 
the side, they hit a page that is a protected resource according to 
apache. The ErrorDocument 401 kicks in using the local URI (which 
actually causes apache to create a sub-request to the local URI and 
returns the information), and returns a PHP login page. Filling out the 
form, and clicking submit, (remember, this will submit to what the PHP 
login page said to in the <form> tags), the PHP script sets a Login 
cookie, and sends a Location: header back to the browser telling it to 
bounce back to the original web page that was requested. (The PHP 
scripts would keep track of the Referer when it was hit, and just 
redirect back to it). At that point, the browser re-requests the page, 
but this time it submits the Login cookie. mod_auth_cookie recognizes 
the cookie, and injects the users credentials in the form of a Basic 
authentication, and passes control back to Apache. Apache then calls the 
mod_auth_mysql module, which verifies against the configured table. If 
it is wrong, it rejects the credentials and starts the ErrorDocument 401 
process again. If it is right, the page is allowed. And no pesky 
authentication dialog box. And the cookie can be set site wide. And 
still hide things that should be protected from the user.

Is that as clear as mud?
Joe Lewis
Chief Nerd 	SILVERHAWK <> 	(801) 660-1900

/Never invoke the gods unless you really want them to appear. It annoys 
them very much.
--G.K. Chesterton/

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message