Re: Summary: [apache-modules] Session/Cookie-Based Authentication Library
On Sun, 2005-09-25 at 18:45 +0300, Eli Marmor wrote: > If anybody else has anything to add about the differences between these > library, or even about another library which does the work, please > speak now or forever hold your peace ;-) (just kidding...) Only because of the "forever hold your peace" bit... :-) Yours truly has written mod_spin (and this is therefore a shameless plug), which can also be used for such a purpose in conjunction with one of its applications, spin_auth. For now (as of version 1.0.10), only pages that are mod_spin templates can be authenticated using this code. New development code (unreleased mod_spin 1.1.0) can provide authentication for any URL. The whole thing is based on regular Apache basic authentication, so whatever Apache supports, this supports. One creates a URL that is going to be the authentication point and if the user gets in, this is recorded in the session file (this can be shared between servers if you have a clustered file system like GFS). This authentication can be over SSL/TLS (i.e. to prevent basic authentication being ripped to shreds), although the site can be a plain HTTP site. The cookie is base on mod_unique_id, but it is accompanied by an MD5 digest of itself and a salt (at least 30 characters) defined in the configuration file. The salts can be periodically rotated by an external script to further strengthen the digest. This requires a graceful restart of the server (which can be, of course, done under load - compliments of Apache developer :-). How good/bad and how (in)secure this whole thing is, you will have to judge for yourself, as this is not really a community project, but my own little concoction. The code is licensed under the GPL with exception to link with Apache and libapreq2. -- Bojan
Re: Summary: [apache-modules] Session/Cookie-Based Authentication Library
Eli Marmor wrote: As for the long run, I plan to write my own piece of code, based on libapreq2; I plan to open it, of course. Meanwhile, I want to thank Ian and Reginald for their generous help! I've seen lots of people ask for this. It might not be bad idea to make a libapreq2-util code base for things like this that depends on libapreq2. Similiar to the apr, apr-util setup ? I guess that would go in: asf/httpd/apreq-util/trunk ? -- END What doesn't kill us can only make us stronger. Nothing is impossible. Philip M. Gollucci ([EMAIL PROTECTED]) 301.254.5198 Consultant / http://p6m7g8.net/Resume/ Senior Developer / Liquidity Services, Inc. http://www.liquidityservicesinc.com http://www.liquidation.com http://www.uksurplus.com http://www.govliquidation.com http://www.gowholesale.com
Summary: [apache-modules] Session/Cookie-Based Authentication Library
[cross posting to two mailing lists] So far I've received two recommendations about a C library to help authenticate users based on cookies (and optionally IP/URL/etc.): Reginald De Crombrugghe recommended mod_auth_tkt (one of the libraries which were mentioned in my original question), and Ian Holsman (core developer of Apache httpd) recommended mod_auth_mda. There are many alternatives, but the amazing point that I found out immediately after looking at these two libraries, was that they are a fork of the same base (which was called mod_auth_tkt). Meanwhile, since the fork, both have added features and changes, so I'll have to investigate these changes and adopt the better one. By the way, both support only cookies based sessions. If anybody else has anything to add about the differences between these library, or even about another library which does the work, please speak now or forever hold your peace ;-) (just kidding...) As for the long run, I plan to write my own piece of code, based on libapreq2; I plan to open it, of course. Meanwhile, I want to thank Ian and Reginald for their generous help! -- Eli Marmor [EMAIL PROTECTED] Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-5237338 Kfar-Saba 44641, Israel