Hi Phil,
A while back I wrote a auth wrapper which used a MD5 hash inside a
cookie to determine if the user was authenticated. If the cookie was
invalid or not present it would fall back to the regular auth method (in
your case a DB hit).
It also had a bit which sat just after the authentication section which
would create the cookie on successful authentication.
If you would like I could see if I can find this.. I don't think I
actually made use of it after I wrote it ;(
Phil Endecott wrote:
Dear All,
First of all, congratulation on the release of 2.2.
I use mod_auth_pgsql at http://anyterm.org/my.html, and found a problem
earlier in the year. To get reasonable performance you need to use the
module's caching mechanism, but this cache is not flushed or updated
when the database changes. So things don't work properly when the user
changes their password.
I started to think about fixing it myself but quickly realised that both
the database and authentication frameworks were changing in 2.1+ and
decided to wait before doing anything. I now see that 2.2 has
mod_auth[nz]_dbd - great!
However, as far as I can see from
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html and the source,
this new module doesn't do any caching. Is this true? To get the sort
of performance that I need for my site I really need in-memory caching
of passwords, but I also need to solve mod_auth_pgsql's non-updating
problem. The solution to this is to use PostgreSQL's asynchronous
notification mechanism: the module issues a "LISTEN" command and is then
notified when the password table changes. I don't know if the APR DB
interface has any support for this (it doesn't seem to be documented at
all at http://apr.apache.org/docs/apr-util/modules.html); even if it
does, it is not portable to other databases.
Has anyone looked at this? If no-one is working on this and you think
it would be a useful feature to add, I may be able to write something
with a bit of help.
Cheers,
--Phil.