Re: shared memory pools and sessions [was ANNOUNCE: mod_ssl 2.2.7]

Wed, 31 Mar 1999 01:11:30 -0500 

On Tue, Mar 30, 1999, [EMAIL PROTECTED] wrote:

>[...]
> > Sorry, I still don't understand the point here, too.  Why do you want that
> > other modules should be able to access the session ids in the session cache?
> 
> So that other modules may use the SSL session id as the key in their hash
> tables.
> 
> Let's say I want to write a module that authenticates users based on a
> challenge/response scheme like X9.9. In this scheme, roughly, a server
> calculates a random number and sends this random number to a user. The user
> DES encrypts this random number and sends the DES encrypted value back to
> the server along with a user id. The server then finds the key that is
> associated with this user id. The server then DES encrypts the random
> number with this key. If the DES encrypted value that the server calculates
> is the same as the DES encrypted value that the user sends, then the user
> is successfully authenticated based on the fact that the user and server
> must share same key (secret). 
> 
> The trick is to keep tract of users who have already successfully
> authenticated themselves. You could use cookies, but these are highly
> spoofable. Or you could do something like require that SSL be used so you
> could associate the user id with the SSL session id somehow. This is the
> approach I'd like to be able to take.
> 
> Is this more clear?

Ahh, now I see your point. But are you sure the session cache is what you want
to use? There is _NO_ guarranty that the client actually resumes the session
and there is no guarranty that the server accepts resumptions. So, even when
you use the session ids as the keys you might get more than one authentication
per "logical access session". Nevertheless, when you want to use this you can
use mod_ssl's "ssl" EAPI context variable in the BUFF structure to access the
session id from your module. You don't need the shared memory session cache
for this.
                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to