<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
mod_auth_cookie_dbm / CookieDBMAuth
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<*>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
$Id: README,v 1.1.1.1 2005/09/15 12:45:42 b Exp $
This is the mod_auth_cookie_dbm cookie-lookup authentication module for the Apache HTTPD.
It was devised as a better replacement for the "Basic" authentication components that ship with Apache.
Classic "Basic" authentication has some downsides:
- Username and password are shipped across the net with every request.
- There is no concept of a "session" (nor encores, such as timeouts and automatic logout)
This module
- checks requests for a cookie, named in the CookieDBMAuthCookieName configuration directive.
- If found, the cookie value is looked up in a DBM database, named
in the CookieDBMAuthFile directive.
- If the lookup fails, a redirect is made to a page specified in the CookieDBMAuthFailureURL directive.
- The DBM entry is expected to contain a username and optionally
an expiry time. Fields are colon-separated, the expiry time is a spelled-out integer (the field gets passed to strtol()) representing the time_t
- If valid, the username is taped onto the request, thus "emulating" Basic authentication.
- If expired, redirect to the CookieDBMAuthFailureURL.
The CookieDBMAuthFailureURL typically points at a "login page" CGI script. This program, after checking the user's credentials, should make up a cookie value (preferably a long, cryptographically strong random string), enter it in the dbm file, and pass it to the browser. It might also update an AuthUserFile or AuthDBMUserFile database on the fly.
- Acknowledgements
- This module was written from scratch, with some inspiration from the mod_auth_cookie_mysql and mod_auth_cookie_pgsql2 modules.
Where to find: http://www.medic.chalmers.se/~b/mod_auth_cookie_dbm
- Contacts
- Bug reports, patches, comments etc. to b@chalmers.se
--
Magnus Bäckström Ringman <b@chalmers.se>