"Ralf S. Engelschall" <[EMAIL PROTECTED]> writes:
> On Tue, Mar 30, 1999, [EMAIL PROTECTED] wrote:
>
> >[...]
> > > Sorry, I still don't understand the point here, too. Why do you want that
> > > other modules should be able to access the session ids in the session cache?
> >
> > So that other modules may use the SSL session id as the key in their hash
> > tables.
> >
> > Let's say I want to write a module that authenticates users based on a
> > challenge/response scheme like X9.9. In this scheme, roughly, a server
> > calculates a random number and sends this random number to a user. The user
> > DES encrypts this random number and sends the DES encrypted value back to
> > the server along with a user id. The server then finds the key that is
> > associated with this user id. The server then DES encrypts the random
> > number with this key. If the DES encrypted value that the server calculates
> > is the same as the DES encrypted value that the user sends, then the user
> > is successfully authenticated based on the fact that the user and server
> > must share same key (secret).
> >
> > The trick is to keep tract of users who have already successfully
> > authenticated themselves. You could use cookies, but these are highly
> > spoofable. Or you could do something like require that SSL be used so you
> > could associate the user id with the SSL session id somehow. This is the
> > approach I'd like to be able to take.
> >
> > Is this more clear?
>
> Ahh, now I see your point. But are you sure the session cache is what you want
> to use? There is _NO_ guarranty that the client actually resumes the session
> and there is no guarranty that the server accepts resumptions. So, even when
> you use the session ids as the keys you might get more than one authentication
> per "logical access session".
Yes. I would like to use the SSL session id. I am aware of its
disadvantages. But IMHO the advantages outweigh the disadvantages. One
question though, what is a real world, average duration for a particular
SSL session id?
> Nevertheless, when you want to use this you can
> use mod_ssl's "ssl" EAPI context variable in the BUFF structure to access the
> session id from your module. You don't need the shared memory session cache
> for this.
Yes. I know. Thanks. Sorry for not stating what I had in mind more clearly
the first time.
-Tom
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]