httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Lewis <>
Subject Re: Making mod_auth_digest mysql
Date Fri, 13 Feb 2009 00:58:46 GMT
Michele Waldman wrote:
> All the actual authentication if fine.  I wouldn't rely on cookies for
> security.  It sounds like cookies would be a "fake" security.
> I was thinking about creating a logout cookie.
> Then, the popup would only happen if the user hacked their cookies.
> Shame on them.
> But it seems like such a hack to me.  I dread it.
> I'm not seeing in your example how that 401 error would be generated.  What
> would the htaccess look like?

#AllowOverride AuthConfig
Order allow,deny
Allow from all

AuthName "Protected System"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl ldap://localhost/dc=localhost?mail?sub
AuthLDAPBindDN cn=directoryuser,dc=localhost
AuthLDAPBindPassword directoryuserpassword
AuthLDAPGroupAttribute memberuid
AuthCookieName VisitorID

require valid-user

ErrorDocument 401 /account/help/unauthorized.html
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R]


To document the file - the first stuff is actually for LDAP 
authentication, and mod_auth_cookie. The utility that sets the cookie 
never sets the cookie, on which the browser is supposed to remove it 
when closed. A log out is simply a cookie overwrite.

However, if you wish to demonstrate your apache module programming 
prowess, you can always create a mod_auth_cookie module that sets a 
SESSION variable, and then pulls the credentials from the session data 
rather than from a cookie - it can be as secure as anything out on the 
Internet today, depending on how you configure it to go. It can be as 
complex or as simple as you wish to make it. (I prefer simple - it's 
easier to troubleshoot if you have problems.)

Joe Lewis
Chief Nerd 	SILVERHAWK <> 	(801) 660-1900

/They give you a round bat and they throw a round ball. And tell you to 
hit it square.
-- Willie Stargell/

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message