On Wed 30 Jan 2008, titetluc titetluc wrote: > This would mean that : > . MySessionModuleVerifyCookie would be first called, verifying if the > cookie is present and correct > . If no cookie, then basic authent is requested > . if basic authent ok, then MySessionModuleGenerateCookie generates a valid > cookie
Sorry, but I haven't really understood what you are trying to achieve. I assume you understand the difference between authentication and authorization and how they work together. If not try to figure that out first. 1) Perhaps you want to replace a specialized cookie named Authorization header with a general purpose cookie. (The Authorization header is nothing else than a specialized cookie.) This can easily be done by forging the Authorization header in a request phase that comes before (or even in) Auth if the general purpose cookie is there and correct. In a phase after Auth (like Fixup) you can then add your cookie if it is not there. Then all your documents would have to be secured by normal Auth-configuration. This can be done with Apache 1.3, 2.0 and 2.2. 2) If you are looking for a more general solution (which I believe you are) then for Apache 2.0+ have a look at the Auth*Authoritative directives, e.g. AuthBasicAuthoritative. Almost all Auth-modules implement such a directive. Your specialized-cookie-module would also have to implement such one. Then you can chain Authentication-modules together. If an Authentication module is authoritative it returns HTTP_UNAUTHORIZED if the user identity cannot be verified. If it is not authoritative it returns DECLINED instead passing the responsibility to the next authentication module. 3) With Apache 2.2 came authentication providers. They allow to chain different identity verification sources. But all of them are based on the same identity information that is passed in by the client (browser). Among geoff's modules is one that provides a perl interface to that. Torsten