httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Kilbride" <j...@kilbride.com>
Subject Re: [users@httpd] mod_auth_dbmcookie.so (help!)
Date Sat, 03 Nov 2007 06:14:58 GMT
I haven't been using it very long, so I'm still kind of figuring out what
the config directives do. Here's an example config and I'll try to explain
my understanding of each one. Unfortunately, I don't have the source (that I
can find, yet...) or any docs for this module, so I don't know if this is a
comprehensive list:

AuthPassiveEnable On
AuthPassiveCookieUserName USER
AuthPassiveCookiePassName PASS
AuthPassiveCookieBackURL BackURL
AuthPassiveLoginURL /auth/login.php
AuthPassiveDBMSessFile /var/log/apache/session/session.db
AuthPassiveGroups group1

Notice the "Passive" in all the directives. The point of this module is to
allow passive access by bypassing the login page using cookies, once the
surfer has been initially authenticated. This makes it very easy to
implement a "remember me" check box on your login form. Depending on how
long you store the cookies, the user could potentially come back several
days later and still bypass having to enter login information. Obviously,
there are security concerns, but you can control how long the cookies remain
valid and also provide a "log out" link for the user to manually delete the
cookies and force a login the next time around. Here is my understanding of
the directives:

AuthPassiveEnable
Obviously used to enable/disable the module.

AuthPassiveCookieUserName
The name of the cookie used to store username information.

AuthPassiveCookiePassName
The name of the cookie used to store md5 hashed password information.

AuthPassiveCookieBackURL
The name of the cookie containing the protected URL the surfer was trying to
access. The module sets this before redirecting to the login URL, so you can
easily send the surfer back to the same protected URL after authenticating.

AuthPassiveLoginURL
The URL the surfer is redirected to for authentication. This is my favorite
aspect of this module. It allows you to specify a custom login page, rather
than the popup dialog box used by basic authentication. It gives you full
.htaccess style directory protection with a custom login page that's very
easy to implement.

AuthPassiveDBMSessFile
The path to the dbm file holding user/pass/group data used by the "passive"
login mechanism.

AuthPassiveGroups
A list of required groups for authentication.

Right now, I store user/pass/group info in a database and load that info
into the dbm file when the user logs in via the custom login form. The
arbitrary dbm key is stored in a cookie called SESSION. I use a 32 char
random string for my dbm key/SESSION cookie value. The dbm value consists
of:

username,md5password,groupname,timestamp

So, with the sample config above, the module uses the SESSION, USER, and
PASS cookies to implement the passive authentication. However, it would be
nice to just skip the dbm file altogether and have the module authenticate
directly against the database. I wish mod_auth_mysql implemented some of
these config options.

Anyway, the more I play with it, the more I like it. It makes setting up a
custom login page with "remember me" capability really easy. I just wish I
could find the source or, at least, some documentation. I dabble in C, but
I'm not a great C programmer. I've played with apache modules using
mod_perl, but have never tried writing one in C. I don't know if decompiling
the .so file would produce anything useful. If anyone is interested, I'm
more than willing to share the .so file and help reverse engineer it. I'm
currently running apache 1.3.33 on Debian sarge. Here's the top of my apache
version info:

Server version: Apache/1.3.33 (Debian GNU/Linux)
Server built:   Aug 27 2006 16:34:48
Server's Module Magic Number: 19990320:16

I'm just afraid that when I eventually upgrade apache, I'm going to lose the
capabilities of this module. I think it has the potential to be pretty
popular, once people learn what it can do -- especially if it's paired with
database capabilities like mod_auth_mysql offers.

Thanks,
--jeff


>
>
> I'm not sure I understand what it does, could you elaborate?
>
> If it's that useful maybe you should contact the Apache people and share it?
>
>
>
>
> At 03:05 PM 11/2/2007, you wrote:
>>Thanks, Nick.
>>
>>Unfortunately, it actually works quite well. I was hoping to continue using
>>it after upgrading. It has a nice feature that allows you to specify a
>> login
>>URL, rather than using the basic popup box. I haven't looked around
>>recently, but are there any other mod_auth modules that have a login URL
>>configuration directive like this?
>>
>>--jeff


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message